diff --git a/java/building-plugins.md b/java/building-plugins.md
index 8f7136f76..1faf0dddb 100644
--- a/java/building-plugins.md
+++ b/java/building-plugins.md
@@ -29,7 +29,7 @@ When building CAP Java plugin modules, you need to keep in mind that the generat
 Of course, it's up to your project / plugin how you call the corresponding Maven GroupId and Java packages. To avoid confusion and also to make responsibilities clear `com.sap.cds` for GroupId and Java package names are reserved for components maintained by the CAP Java team and must not be used for external plugins. This rule also includes substructures to `com.sap.cds` like `com.sap.cds.foo.plugin`.
 
 
-## Share CDS Models via Maven Artifacts
+## Reusable CDS Artifacts
 
 CDS models, CSV import data and i18n files can be shared through Maven dependencies. In addition they can also be shared through npm packages.
 This means you can provide CDS models, CSV files, i18n files, and Java code (for example, event handlers) in a single Maven dependency.
@@ -103,6 +103,10 @@ The location in the `using` directive differs from the default [CDS model resolu
 
 This technique can be used independently or together with one or more of the techniques described on this page.
 
+::: tip Domain modelling best-practices
+When modelling and naming your artifacts, consider CAP [best-practices](../@external/guides/domain-modeling#best-practices) for domain modelling, which detail naming conventions and design principles.
+:::
+
 ## Event Handlers for Custom Types and Annotations
 
 In CAP Java, event handlers aren't tightly coupled to the request handling or any other runtime components. Thus, it's easily possible to package event handlers in external libraries (like plugins) in order to provide common but custom functionality to CAP Java applications. You can achieve this by defining custom handlers that react on model characteristics (common types or annotations) or also on entity values, for example, validations.
diff --git a/node.js/assets/fiori-generic-sort-filter.mp4 b/node.js/assets/fiori-generic-sort-filter.mp4
new file mode 100644
index 000000000..a5d6fa9cc
Binary files /dev/null and b/node.js/assets/fiori-generic-sort-filter.mp4 differ
diff --git a/node.js/cds-plugins.md b/node.js/cds-plugins.md
index 445b456c3..4e254dc6f 100644
--- a/node.js/cds-plugins.md
+++ b/node.js/cds-plugins.md
@@ -12,9 +12,11 @@ The `cds-plugin` technique allows to provide extension packages with auto-config
 
 
 
-## Add a `cds-plugin.js`
+## Starting a new plugin
 
-Simply add a file `cds-plugin.js` next to the `package.json` of your package to have this detected and loaded automatically when bootstrapping CAP Node.js servers through `cds serve`, or other CLI commands.
+Simply add a file `cds-plugin.js` next to the `package.json` of your reuse package to have this detected and loaded automatically when starting CAP Node.js servers.
+
+Meaning when an application downloads your package `npm i my-plugin` and afterwards starts the CAP server with `cds watch`, the packages `cds-plugin.js` file will automatically be detected and executed during startup.
 
 Within such `cds-plugin.js` modules you can use [the `cds` facade](cds-facade) object, to register to lifecycle events or plugin to other parts of the framework. For example, they can react to lifecycle events, the very same way as in [custom `server.js`](cds-server#custom-server-js) modules:
 
@@ -22,13 +24,102 @@ Within such `cds-plugin.js` modules you can use [the `cds` facade](cds-facade) o
 
 ```js [cds-plugin.js]
 const cds = require('@sap/cds')
-cds.on('served', ()=>{ ... })
+cds.on('served', ()=>{ /**...*/ })
+```
+```json [package.json]
+{
+  "name": "my-plugin",
+  "version": "1.0.0",
+  "description": "Sample to explain how CDS plugins work",
+  "main": "cds-plugin.js",
+  "files": [
+    "_i18n",
+    "lib",
+    "srv",
+    "db",
+    "index.cds",
+    "cds-plugin.js",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "peerDependencies": {
+    "@sap/cds": ">=9"
+  },
+  "devDependencies": {
+    "@cap-js/cds-test": "^0.4.0",
+    "@cap-js/sqlite": "^2"
+  },
+  "engines": {
+    "node": "^20"
+  },
+  "scripts": {
+    "lint": "npx eslint .",
+    "test": "npx jest --silent"
+  },
+  "cds": {
+    "requires": {
+      "my-service": {
+        "[production]": {
+          "kind": "kind1"
+        },
+        "[development]": {
+          "kind": "kind2"
+        },
+        "[hybrid]": {
+          "kind": "kind1"
+        },
+        "kinds": {
+          "my-service-kind1": {
+            "impl": "my-plugin/srv/myservice"
+          },
+          "my-service-kind2": {
+            "impl": "my-plugin/srv/myservice-mock"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+```js [srv/myservice]
+const cds = require('@sap/cds')
+const LOG = cds.log('my-plugin')
+
+module.exports = class MyService extends cds.Service {
+  init() {
+    // Register handlers to execute logic ...
+
+    this.on('MyEvent', async req => {
+      const credentials = cds.env.requires["my-service"].credentials
+      // Do something
+    })
+    return super.init()
+  }
+}
 ```
 
+```js [srv/myservice-mock]
+const cds = require('@sap/cds')
+const LOG = cds.log('my-plugin')
+
+module.exports = class MyServiceMock extends cds.Service {
+  init() {
+    // Register the same handlers as in MyService but have a mocked impl
+    return super.init()
+  }
+}
+```
 :::
 
 Sometimes `cds-plugin.js` files can also be empty, for example if your plugin only registers new settings.
 
+::: danger Avoiding state in services
+
+Keep in mind in multi-tenant scenarios the CAP service is shared across all tenants! Thus you must store any tenant specific state, like credentials for a remote BTP service, in a map with the tenant ID as the key to maintain tenant separation.
+
+:::
 
 
 ## Auto-Configuration
@@ -45,12 +136,12 @@ For example, this is the configuration provided by the new SQLite service packag
     "requires": {
       "db": "sql",
       "kinds": {
-        "sql": {
+        "db-sql": {
           "[development]": {
             "kind": "sqlite"
           }
         },
-        "sqlite": {
+        "db-sqlite": {
           "impl": "@cap-js/sqlite"
         }
       },
@@ -61,26 +152,302 @@ For example, this is the configuration provided by the new SQLite service packag
 
 :::
 
-In effect this automatically configures a required `db` service using the `sql` preset. This preset is configured below to use the `sqlite` preset in development. The `sqlite` preset is in turn configured below, to use the plugin package's main as implementation.
+In effect this automatically configures a required `db` service using the `sql` preset. 
 
+This preset is configured below to use the `sqlite` preset in development. The `sqlite` preset is in turn configured, to use the plugin package's main as the implementation.
 
+The profiles, like "development", are explained in the [Configuration Profiles](./cds-env#profiles) section.
 
-## cds. plugins {.property}
+::: danger Prefix kinds
+All kinds need to be prefixed with the service for which they are intended to be used. Else they might clash with kinds from other plugins.
+:::
 
-This property refers to a module that implements the plugin machinery in cds, by fetching and loading installed plugins along these lines:
+The following example is from the data privacy plugin. Here the Information service uses a model property to specify a `.cds` file used as the domain model for that service. The domain model imported via that path is then added to the domain model of the application.
 
-1. For all entries in your *package.json*'s `dependencies` and `devDependencies` ...
-2. Select all target packages having a `cds-plugin.js` file in their roots ...
-3. Add all target packages' `cds` entry in their *package.json* to [`cds.env`](cds-env)
-4. Load all target packages' `cds-plugin.js` module
+::: code-group
 
-The plugin mechanism is activated by adding this to CLI commands:
+```json [package.json]
+{
+  "cds": {
+    "requires": {
+      "sap.dpp.RetentionService": {
+        "kind": "TableHeaderBlocking"
+      },
+      "sap.dpp.InformationService": {
+        "model": "@sap/cds-dpi/srv/DPIInformation"
+      },
+      "kinds": {
+        "sap.dpp.RetentionService-TableHeaderBlocking": {
+          "impl": "@sap/cds-dpi/srv/TableHeaderBlocking",
+          "model": "@sap/cds-dpi/srv/TableHeaderBlocking"
+        }
+      }
+    }
+  }
+}
+```
+
+:::
+
+### Service variants
+
+As seen above in the sample the different kinds can be used to offer different variants of your plugin. This makes sense to for example have one `db` service but variants for different databases or one `audit-log` but variants for different Audit logging service plans.
+
+The service variants are especially handy to provide a mocked version of the service, in case your plugin integrates with a Cloud Service, so applications can still run locally and test basic functionality without needing to connect to the Cloud Service during development.
+
+The mocked variant usually just logs the events send to your service to the console. For example `@cap-js/audit-logging` logs the audit logs to the console when in development and `@cap-js/attachments` only logs that a malware scan is triggered without actually scanning as the Malware Scanning service is locally not connected.
+
+Variant independent applications can connect to your service via `cds.connect` and depending on the kind configured a different service is returned.
 
 ```js
-await cds.plugins
+// Returns "MyService" in hybrid or production mode, 
+// but with the development profile it returns "MyServiceMock"
+await cds.connect.to('my-service');
 ```
 
-Currently, the following commands support plugins: `cds-serve`, `cds watch`, `cds run`, `cds env`, `cds deploy`, `cds build`, `cds.test()`.
+### Reading BTP service bindings / credentials
+
+To access the service credentials, refer to the [service binding documentation](./cds-connect.md#service-bindings).
+
+It describes how you can map a CAP service listed under `cds.requires` to a BTP service.
+
+During runtime the credentials are then part of [`cds.env`](./cds-env.md#cds-env):
+
+```js
+srv.before('UPDATE', 'myEntity', req => {
+  const credentials = cds.env.requires["my-service"].credentials
+  // Do something
+})
+```
+
+::: danger Do not access `VCAP_SERVICES` directly
+Do not read the credentials from `process.env.VCAP_SERVICES`! `VCAP_SERVICES` is set by Cloud Foundry and as such not available in Kyma scenarios or when `VCAP_SERVICES_PATH` is given. Thus always prefer reading from `cds.env` to stay platform agnostic.
+:::
+
+#### Connecting to BTP services
+
+Before you use `axios` or `node:fetch`, you can use the [`Cloud SDK`](https://sap.github.io/cloud-sdk/) and its functions `executeHttpRequest` and `getDestination` to retrieve a destination from BTP and run an HTTP request against it. This takes full care of doing the authentication and is the preferred method for communicating with BTP services so your plugin does not need to fetch the token itself.
+
+If you do not have a destination at hand the Cloud SDK supports service bindings as well.
+
+### Early exit
+
+Have an early exit option for your plugin so apps can easily disable the plugin in specific profiles. Disablement should be done by setting your service in the requires section to `null`.
+
+```json
+"cds": {
+  "requires": {
+    "myservice": null
+  }
+}
+```
+
+Early on in your logic, you should have some logic, like this:
+
+::: code-group
+
+```js [cds-plugin.js]
+if (cds.env.requires['my-service']) {
+  const cds = require('@sap/cds')
+  cds.on('served', ()=>{ /**...*/ })
+}
+```
+:::
+
+## Reusable CDS Artifacts
+
+There are two options for adding additional artifacts (properties, entities, services, …) to the CAP data model. The first is by modelling the CDS artifact in your plugin in a `.cds` file. The second is by injecting it via JavaScript code during the CAP build step or when CAP loads the data model. 
+The first option is described below:
+
+Add an `index.cds` file in the root folder of your plugin. In this file, you can model as many artifacts as you wish. But for code separation, it is recommended to have a `db` or `srv` folder for your artifacts and only reference the cds files subsequently in the `index.cds`.
+
+An example could look like:
+
+`db/schema.cds`:
+```cds
+namespace sap.reuse;
+
+aspect ReuseArtifact {
+  key ID: UUID;
+  prop1: String;
+}
+```
+
+`index.cds`:
+```cds
+using from './db/schema.cds';
+```
+
+The reuse [aspect](../cds/cdl#aspects) is then referenced in the CAP application by writing the following, referencing the `index.cds` file from the npm package as which the plugin is published.
+
+`Some CDS file in the consuming project`:
+```cds
+using {sap.reuse.ReuseArtifact} from '@cap-js/plugin-sample';
+```
+
+::: tip Domain modelling best-practices
+When modelling and naming your artifacts, consider CAP [best-practices](../guides/domain-modeling#best-practices) for domain modelling, which detail naming conventions and design principles.
+:::
+
+## Domain model interactions
+
+The [CSN](../cds/csn.md) file is CAPs compiled data model. All `.cds` files are compiled to a single CSN, which is used at runtime to serve the OData services and respond to queries.
+
+#### Traversing the model
+
+The model is available after bootstrapping via `cds.context.model ?? cds.model`. During bootstrapping each service which gets instantiated has its model attached which you can also access.
+
+`cds.context.model` is only available at runtime because it is based on the tenant from which the request originates.
+
+```js
+cds.on('compile.for.runtime', model => {
+  model.definitions
+})
+```
+
+The definitions is an object which contains all artifacts from the model, like type definitions, aspects, entities, projections, services. Each has a "type" property via which you can filter for your desired artifacts to modify or inspect.
+
+Entities exposed as part of a service have either a "query" or "projection" property, via which you can get down the chain of entities till you reach the base entity, used for the database table definition.
+
+You can also reflect the model via `cds.reflect(<csn>)` which enhances the `CSN` with a variety of helper methods, making it easier to traverse the model. However keep in mind changes to the model must be made to the plain model handed over by the event!
+
+For example `cds.reflect` adds the `_target` property to associations to easily get to the artifact the association points to. 
+
+Regarding compositions and associations keep in mind that compositions are just a special kind of associations so the associations property contains both plain associations and compositions.
+
+#### Reading annotations
+
+[Annotations](../cds/cdl#annotations) are used for marking up CDS artifacts with additional information. In the CSN they are normalised object properties, e.g. flattened, meaning
+
+```cds
+@Common : {
+  Text : currency.name,
+  TextArrangement : #TextOnly,
+  ValueListWithFixedValues,
+  ValueList : {
+    CollectionPath : 'Currencies',
+    Parameters : [
+      {
+        $Type : 'Common.ValueListParameterInOut',
+        LocalDataProperty : code,
+        ValueListProperty : 'code',
+      }
+    ]
+  }
+}
+currency: Association to one Currencies;
+```
+
+would result in
+
+```json
+"currency": {
+  "@Common.Text": {"=": "currency.name"},
+  "@Common.TextArrangement" : {"#": "TextOnly"},
+  "@Common.ValueListWithFixedValues": true,
+  "@Common.ValueList.CollectionPath": "Currencies",
+  "@Common.ValueList.Parameters": [{
+    "$Type" : "Common.ValueListParameterInOut",
+    "LocalDataProperty" : {"=": "code"},
+    "ValueListProperty" : "code",
+  }],
+  "type": "cds.Association",
+  "cardinality": {"max": 1}
+}
+```
+
+When defining own annotations consider the section [Code completion](../../plugins/development-guide#code-completion).
+
+#### Dynamically modifying the model
+
+Via [lifecycle events](./cds-compile#compile-to-edmx) you can modify the model before it is used by the CAP for various purposes, like creating the database artifacts, the runtime model or the OData services.
+
+```js
+const cds = require('@sap/cds')
+cds.on('compile.for.runtime', m => enhanceModel(m))
+cds.on('compile.to.dbx', m => enhanceModel(m))
+cds.on('compile.to.edmx', m => enhanceModel(m))
+```
+
+In there you can add additional associations or properties based on annotations, add additional services or in general modify artifacts as needed.
+
+Because the events can trigger multiple times set a flag in the meta information to not run your modifications twice on the same model.
+
+```js
+function enhanceModel(m) {
+  const meta = m.meta ??= {};
+  if (meta['sap.myservice.enhancements']) return;
+
+  //Do modifications to m.definitions
+
+  meta['sap.myservice.enhancements'] = true;
+
+}
+```
+
+Importantly you need to consider, that in multi-tenancy setups the model is owned by the MTX micro-service and as such your plugin must then also be part of the MTX micro-service `package.json` file to ensure the model modifications are done to the models used by every tenant.
+
+## Registering additional handler
+
+CAPs powerful handler loop allow plugins to add additional handlers to react on requests and modify responses.
+
+#### Registering handlers
+
+While usually, handlers are registered when defining the service, plugins often have to register additional handlers in existing services to add in logic of the plugin. 
+
+Commonly the [server lifecycle](./cds-server#lifecycle-events) events are used to register additional handlers on existing services:
+
+::: code-group
+```js [Bad practice]
+cds.on('served', services => {
+  for (const name in services) {
+    const srv = services[name]
+    if (srv instanceof cds.ApplicationService /* && scenario check when to add handlers*/) {
+      for (const entity in srv.entities) {
+        if (/** Some check on entity */) continue;
+        srv.before('READ', srv.entities[entity], req => {
+          // Additional logic;
+        });
+      }
+    }
+  }
+});
+```
+:::
+
+However this approach has two downsides:
+
+1. The `served` lifecycle event is used, which makes it harder for consuming applications to register additional handlers on top of the plugin. If the plugin registers `on` handlers via `srv.prepend` the consuming application cannot add their own on handlers via `srv.prepend` with good conscious during that stage as it is undefined which event handler for `served` is executed first, leading to an ambiguous situation where it is not clear which on handler has precedence.
+2. The handlers are registered per entity. While this works fine for plugins only consumed by single-tenant applications, it will cause problems in multi-tenancy scenarios. `srv.entities` is based on the base model of the CAP service `cds.model`. However in multi-tenant scenarios the model can be extended at runtime for each tenant, be it via [feature toggles](../guides/extensibility/feature-toggles.md) or [customer extensions](../guides/extensibility/index.md#extensibility). At runtime `cds.context.model` contains the model which is currently active for the tenant of an incoming request and during server startup the tenant-specifc models are not available. For example the attachments entity from `@cap-js/attachments` could be placed behind a feature toggle. This means `cds.model` won't contain any reference to attachments, but at runtime `cds.context.model` will, when the feature toggle is activated.
+
+To avoid these two problems, use CAPs way for [adding generic handler](./app-services.md#adding-generic-handlers). This means, that when an application service is initialized, first the handlers from the application service are registered, thus having precedence, and afterwards the generic handlers from CAP itself and your plugin are added.
+
+::: code-group
+```js [Good practice]
+const cds = require('@sap/cds')
+
+cds.ApplicationService.handle_my_service = cds.service.impl (function(){
+  if (!cds.env.requires['my-service']) return;
+  this.before('*', req => {
+    if (/** Some check on req.target */) continue;
+    // Additional logic;
+  })
+})
+```
+:::
+
+::: danger The dangers of generic handlers
+While registering handlers assume the least possible and always check for your use case. Generic handlers are quite powerful but as they are generic all kinds of requests will go through them, like messaging request, analytical OData calls, $count calls or file stream requests.
+
+- Check the dangers of [`req.query`](./events.md#query) to be aware of
+- Check the dangers of [`req.data`](./events.md#data) to be aware of
+- Check out the [performance considerations](./core-services.md#performance-considerations) for event handlers
+- Check out the [implications of data modification in after handlers](./core-services.md#implication-when-modifying-data-in-after-handlers)
+:::
+
+While `before` and `after` handlers are called by CAP in parallel, `on` handlers behave like express middlewares, where the next middleware must be explicitly called. For plugins this means each `on` handler must always call next `on` handler when the conditions they check for are not met!
+
+If you want to enhance the generic authentication and authorization consider [initial handlers](./core-services.md#initial-handlers)
 
 ## Configuration Schema <Beta /> { #configuration-schema }
 
@@ -129,3 +496,24 @@ Currently, the following schema contribution points are supported:
 #### Usage In a CAP Project
 
 <video src="./assets/schema-usage_compressed.mp4" autoplay loop muted webkit-playsinline playsinline />{.ignore-dark style="width: 688px"}
+
+
+## How the plugins hook is implemented in CAP
+
+#### cds. plugins {.property}
+This property refers to a module that implements the plugin machinery in cds, by fetching and loading installed plugins along these lines:
+
+1. For all entries in your *package.json*'s `dependencies` and `devDependencies` ...
+2. Select all target packages having a `cds-plugin.js` file in their roots ...
+3. Add all target packages' `cds` entry in their *package.json* to [`cds.env`](cds-env)
+4. Load all target packages' `cds-plugin.js` module
+
+The plugin mechanism is activated by adding this to CLI commands:
+
+```js
+await cds.plugins
+```
+
+Meaning on server startup CAP itself calls `await cds.plugins` to load and activate all plugins before continuing to serve the application services.
+
+Currently, the following commands support plugins: `cds-serve`, `cds watch`, `cds run`, `cds env`, `cds deploy`, `cds build`, `cds.test()`.
diff --git a/node.js/cds-server.md b/node.js/cds-server.md
index 1a4d71f15..7cbffa3d3 100644
--- a/node.js/cds-server.md
+++ b/node.js/cds-server.md
@@ -221,6 +221,9 @@ cds.on('served', async (services) => {
 
 This event supports _asynchronous_ event handlers.
 
+::: danger Everything in CAP is a service
+`cds.connect.to`  connects you to a service. This however means that only after the service is initalized, you can connect to it. For example `cds.connect.to('db')` will only function after the `db` service is served, e.g. should only be used in the `served` and `listening` events.
+:::
 
 ### listening {.event}
 
diff --git a/node.js/core-services.md b/node.js/core-services.md
index 35d47f23e..59819055d 100644
--- a/node.js/core-services.md
+++ b/node.js/core-services.md
@@ -584,7 +584,7 @@ The input validation handlers above collect input errors with [`req.error()`](./
 
 [Learn more about how requests are processed by `srv.handle(req)`](#srv-handle-event) {.learn-more}
 
-
+<div id="afterbefore" />
 
 ### srv. after (request) {.method}
 
@@ -625,7 +625,107 @@ this.after ('each', Books, book => {
 
 [Learn more about how requests are processed by `srv.handle(req)`](#srv-handle-event) {.learn-more}
 
+#### Implication when modifying data in `after` handlers
+
+A unique feature for CAP and Fiori apps, contributing to enterprise ready solutions, is that usually data can be arbitrarily filtered, sorted or grouped on the UI. These operations are pushed down to the database by CAP and thus the response received in an `after` handler already considers these query parameters. Data modifications in `after` handlers should never cause deviations from that.
+
+<video src="./assets/fiori-generic-sort-filter.mp4" autoplay loop muted webkit-playsinline playsinline />{.ignore-dark style="width: 688px"}
+
+Just imagine if a user requests to sort a table after a column from A to Z but the data returned does not come back A to Z because an `after` handler modified the values yielding a different structure. The user would be confused, the application would get tickets, a colleague would confusingly debug to just find out one `after` handler, out of potentially many, modifies data in a way that does not work with the UI.
+
+::: code-group
+
+```js [catalog.js]
+module.exports = srv => {
+  srv.after('READ', srv.entities.Books, (res, req) => {// [!code --]
+    for (const book of res) {// [!code --]
+      book.price = book.stock > 100 ? book.price * 0.9 : book.price // [!code --]
+    }// [!code --]
+  })// [!code --]
+  
+  srv.before('READ', srv.entities.Books, async (req) => { // [!code --]
+    if ( // [!code --]
+      req.query.SELECT.columns && // [!code --]
+      !req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'stock') && // [!code --]
+      req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'price')  // [!code --]
+    ) { // [!code --]
+      req.query.SELECT.columns.push({ref: ['stock']}) // [!code --]
+    } // [!code --]
+  }) // [!code --]
+}
+```
+
+```cds [catalog.cds]
+service CatalogService {
+  entity Books as projection on persistence.Books; // [!code --]
+  entity Books as projection on persistence.Books { // [!code ++]
+    *, // [!code ++]
+    (stock > 100 ? price * 0.9 : price) as price// [!code ++]
+  };// [!code ++]
+}
+```
+
+:::
+
+Prefer using conditional statements within the entity projection directly or add the conditional statements dynamically in a `before` handler to push the conditions down to the database so it can apply sorting and filtering correctly.
+
+::: code-group
+
+```js [catalog.js]
+module.exports = srv => {
+  srv.after('READ', srv.entities.Books, (res, req) => {// [!code --]
+    for (const book of res) {// [!code --]
+      book.price = book.stock > 100 ? book.price * 0.9 : book.price // [!code --]
+    }// [!code --]
+  })// [!code --]
+  
+  srv.before('READ', srv.entities.Books, async (req) => {
+    if ( // [!code --]
+      req.query.SELECT.columns && // [!code --]
+      !req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'stock') && // [!code --]
+      req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'price')  // [!code --]
+    ) { // [!code --]
+      req.query.SELECT.columns.push({ref: ['stock']}) // [!code --]
+    } // [!code --]
+    if (req.query.SELECT.columns /* && additional logic check */) { // [!code ++]
+      const priceCol = req.query.SELECT.columns?.indexOf(c => c.ref && c.ref[0] === 'price')// [!code ++]
+      if (priceCol >= 0) {// [!code ++]
+        req.query.SELECT.columns.splice(priceCol, 1)// [!code ++]
+      }// [!code ++]
+      req.query.SELECT.columns.push({// [!code ++]
+        xpr: ['case', 'when', {ref: ['stock']}, '>', {val: 100}, // [!code ++]
+          'then', {ref: ['price']}, '*', {val: 0.9}, // [!code ++]
+          'else', {ref: ['stock']}, // [!code ++]
+        'end'], // [!code ++]
+        as: 'price'})// [!code ++]
+    }// [!code ++]
+  })
+}
+```
+
+:::
+
+There are valid cases where data modifications must be made and sorting or filtering cannot be considered. In those cases you must add the correct `@Capabilities` annotations to the entity in question to ensure the UI does not offer functionality the backend cannot handle.
+
+::: code-group
+```js [catalog.js]
+module.exports = srv => {
+  srv.after('each', srv.entities.ListOfBooks, book => {
+    if (book.stock > 111) book.title += ` -- 11% discount!`
+  })
+}
+```
 
+```cds [catalog.cds]
+service CatalogService {
+  @Capabilities : { // [!code ++]
+    FilterRestrictions.NonFitlerableFields : [title], // [!code ++]
+    SortRestrictions.NonSortableFields : [title] // [!code ++]
+  } // [!code ++]
+  entity ListOfBooks as projection on persistence.Books;
+}
+```
+:::
 
 ### srv. on (request) {.method}
 
@@ -1162,3 +1262,78 @@ await srv.create `Books` .entries ({title:'Wuthering Heights'})
 await srv.update `Books` .where `ID=${201}` .with `title=${'Sturmhöhe'}`
 await srv.delete `Books` .where `ID=${201}`
 ```
+
+## Performance considerations
+
+Consider the impact of your custom handlers on the response time. This means, use as few `on` handlers as possible, while at the same time minimise the amount of `await` keywords in any handler, including `before` and `after` handlers!
+
+`await` allows for async processing, meaning the server is not blocked and can proceed processing other requests in the meantime while waiting for the awaited result, but to return the response for a request the await still must finish!
+
+In practice this means, no `await` in for loops as well minimizing `await`'s in `before` and `after` handlers. `after` handlers are usually used to post process responses or trigger an event. 
+
+- When you need additional information in the `after` handler, use a `before` handler to adjust the incoming query to enforce properties you need in your `after` handler. When you need data unrelated to the query use an `on` handler and `Promise.all` to await the db result for the query and your additional data simultaneously.
+
+::: code-group
+
+```js [additional-data-of-entity-sample]
+srv.after('READ', Books, async (res, req) => {
+  for (const book of res) {
+    const bookOnDB = await SELECT.one.from(Books).where({ID: book.ID}).columns('stock') // [!code --]
+    book.price = bookOnDB.stock > 100 ? book.price * 0.9 : book.price // [!code --]
+    book.price = book.stock > 100 ? book.price * 0.9 : book.price // [!code ++]
+  }
+})
+
+srv.before('READ', Books, async (req) => { // [!code ++]
+  if ( // [!code ++]
+    req.query.SELECT.columns && // [!code ++]
+    !req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'stock') && // [!code ++]
+    req.query.SELECT.columns.some(c => c.ref && c.ref[0] === 'price')  // [!code ++]
+  ) { // [!code ++]
+    req.query.SELECT.columns.push({ref: ['stock']}) // [!code ++]
+  } // [!code ++]
+}) // [!code ++]
+```
+
+```js [different-data-sample]
+srv.after('READ', Books, async (res, req) => { // [!code --]
+srv.on('READ', Books, async (req, next) => { // [!code ++]
+  const [res, config] = await Promise.all([ // [!code ++]
+    next(), // [!code ++]
+    srv.run(SELECT.one.from(Configuration)) // [!code ++]
+  ]) // [!code ++]
+  const config = await srv.run(SELECT.one.from(Configuration)) // [!code --]
+  for (const book of res) {
+    if (config.saleIsHappening)
+      book.price = book.stock > 100 ? book.price * 0.9 : book.price
+  }
+  return res; // [!code ++]
+}) // [!code --]
+```
+:::
+
+- When you need to execute actions irrelevant to the response, wrap them inside [`cds.spawn`](./cds-tx#cds-spawn) so they are processed asynchronously and the request can proceed without waiting for the action. An example here would be triggering a notification.
+
+::: code-group
+
+```js [emit-event-after-delete]
+srv.after('SAVE', Books, async (book, req) => {
+  // Without cds.spawn both selects and the notify // [!code ++]
+  // would slow down the response time for the SAVE // [!code ++]
+  cds.spawn({}, async () => { // [!code ++]
+    const author = await SELECT.one.from(Authors).where({ID: book.author_ID});
+    const editor = await SELECT.one.from(Users).where({ID: cds.context.user.id}).columns('displayName');
+
+    const alert = await cds.connect.to('notifications');
+    await alert.notify ('BookModified', {
+      recipients: [ author.email ],
+      data: {
+        customer: customer.info,
+        title: book.title,
+        user: editor.displayName,
+      }
+    })
+  })// [!code ++]
+})
+```
+:::
\ No newline at end of file
diff --git a/node.js/events.md b/node.js/events.md
index 55451b544..36dfc1d2f 100644
--- a/node.js/events.md
+++ b/node.js/events.md
@@ -183,6 +183,16 @@ this.before ('UPDATE',Books, req => {
 })
 ```
 
+::: danger Flexibility of `req.data`
+
+`req.data` can contain multiple properties to be modified or just one. When the Fiori elements UI sends requests usually only one modification will be send at a time, as `PATCH` requests are triggered when the field focus changes. However a curious user could send the `PATCH` request themselves and include multiple updates at once.
+
+Thus if you implement validation logic for property "A" but you use updatable property "B" for the validation, it is not sufficient to just query property "B" from the database when property "A" is updated. You need to prioritise `req.data.B` over the database result for the correct validation.
+
+Furthermore for `SAVE` events `req.data` might appear to contain all elements, but `@Core.Computed` or `@Core.Immutable` elements won't show up if it is not the initial `SAVE` where the active record is first created.
+
+:::
+
 ### . headers {.property}
 
 Provides access to headers of the event message or request. In the case of asynchronous event messages, it's the headers information sent by the event source. For HTTP requests it's the [standard Node.js request headers](https://nodejs.org/api/http.html#http_message_headers).
@@ -345,6 +355,18 @@ req.query = {SELECT:{from:{ref:['Books']}}}
 
 For bound custom operations, `req.query` contains the query to the entity on which the operation is called. For unbound custom operations, `req.query` contains an empty object.
 
+::: danger Be aware of the flexibility of `req.query`
+`req.query` can have all kinds of formats. Thus make as few assumptions as possible when asserting checks or modifying it.
+
+Important pieces you need to consider:
+
+- `SELECT.from` usually contains an object with `ref` which includes the access path and where you can get the targeted or root entity. However analytical queries leverage `SELECT.from.SELECT` to model nested `SELECT`s. This allows analytical queries to add on the topmost layer custom properties, which were created by a lower level aggregation and which are not part of `req.target.elements`.
+- The order of operators in `SELECT.where` is not granted. A malicious attacker could for example send `1 eq myProp` instead of the usual `myProp eq 1`. When extracting the value you need to be aware of that.
+- Furthermore expressions could be wrapped in brackets `(myProp eq 1)`, which will modify the CQN, to have an `xpr` element. Thus when extracting values you should recursively go through the where clause to cover `xpr` elements as well.
+- Check for `req.query.SELECT.count`. If that is true OData's `/$count` is requested and if you do anything column related your handler should likely be skipped.
+- Check if the `SELECT.columns` property only contains a stream property. In these cases column modifications can be skipped as well.
+:::
+
 ### . subject {.property}
 
 Acts as a pointer to the instances targeted by the request.