lcp 0.1.0 → 0.2.0

data/lib/lcp_ruby/export/data_generator.rb

@@ -78,7 +78,11 @@ module LcpRuby
       end
 
       def resolve_and_format(record, field_path, output: :csv)
-        value = @field_value_resolver.resolve(record, field_path, raw: @raw)
+        # Resolver now always returns raw enum keys; the formatter is the
+        # single source of enum-mode rendering (`label` / `key` / `both`).
+        # The `@raw` flag controls the formatter's native-type output for
+        # raw `.json` / `.csv` endpoints.
+        value = @field_value_resolver.resolve(record, field_path)
         field_def, model_name = field_meta[field_path]
 
         @formatter.format(value, field_definition: field_def, model_name: model_name, raw: @raw, output: output)

data/lib/lcp_ruby/export/value_formatter.rb

@@ -30,6 +30,32 @@ module LcpRuby
 
         type = field_definition&.type || infer_type(value)
 
+        # has_many → terminal dot-paths (e.g. `tasks.status`, `tasks.due_date`,
+        # `tasks.title`) deliver an Array of terminal values. Format each element
+        # through the SAME type logic and recombine — a single chokepoint so
+        # every type is handled, not just enum. Without it, non-enum Arrays fell
+        # through to scalar parsers: `format_date([d1, d2])` parsed only the
+        # first date (silent data loss) and string terminals emitted the Ruby
+        # array literal `["a", "b"]`.
+        #
+        # Gate on the EXPLICIT field type, not `type`: only a declared `json`
+        # field holds an Array that must serialize as JSON. When the field def
+        # can't be resolved (field_definition nil), `type` would be
+        # `infer_type(Array) == "json"` and wrongly skip the join — so a
+        # has_many dot-path with no resolvable terminal would still emit the
+        # Ruby array literal. Checking field_definition&.type keeps that case
+        # joined.
+        if value.is_a?(Array) && field_definition&.type != "json"
+          formatted = value.map do |v|
+            format(v, field_definition: field_definition, model_name: model_name, raw: raw, output: output)
+          end
+          # Raw JSON wants a native array of typed values; CSV and the
+          # locale-formatted label modes want a single joined cell.
+          return formatted if raw && output != :csv
+
+          return formatted.compact.join(array_separator)
+        end
+
         return format_raw(value, type, output) if raw
 
         case type
@@ -57,6 +83,8 @@ module LcpRuby
       def format_raw(value, type, output)
         case type
         when "enum"
+          # Array values are joined/native-arrayed by the #format chokepoint
+          # before dispatch, so this only sees scalar raw keys.
           value.to_s
         when "date"
           parse_date(value)&.iso8601 || value.to_s
@@ -124,6 +152,8 @@ module LcpRuby
       end
 
       def format_enum(value, field_def, model_name)
+        # Array values (has_many enum dot-paths) are handled by the Array
+        # chokepoint in #format before dispatch, so this only sees scalars.
         mode = @options["enum_mode"] || "label"
         key = value.to_s
 
@@ -138,6 +168,10 @@ module LcpRuby
         end
       end
 
+      def array_separator
+        @options["array_separator"] || ", "
+      end
+
       def enum_label(key, field_def, model_name)
         return key.humanize unless field_def
         field_def.enum_label_for(key, model_name: model_name)

data/lib/lcp_ruby/grouped_query/builder.rb

@@ -181,6 +181,8 @@ module LcpRuby
         def date_trunc_sql(period, col_ref, conn)
           if LcpRuby.postgresql?
             "DATE_TRUNC('#{period}', #{col_ref})"
+          elsif LcpRuby.mysql?
+            mysql_trunc(period, col_ref)
           else
             sqlite_trunc(period, col_ref)
           end
@@ -200,6 +202,25 @@ module LcpRuby
             "strftime('#{format}', #{col_ref})"
           end
         end
+
+        # MySQL/MariaDB has no strftime; DATE_FORMAT produces the same period-key
+        # strings ("2026-01", "2026") that GroupedQueryHelper#parse_period_value
+        # consumes, so the helper stays adapter-agnostic. Quarter is built with
+        # QUARTER() to match SQLite's "2026-Q1" shape.
+        def mysql_trunc(period, col_ref)
+          case period
+          when "quarter"
+            "CONCAT(YEAR(#{col_ref}), '-Q', QUARTER(#{col_ref}))"
+          else
+            format = case period
+            when "day"   then "%Y-%m-%d"
+            when "week"  then "%Y-%u"
+            when "month" then "%Y-%m"
+            when "year"  then "%Y"
+            end
+            "DATE_FORMAT(#{col_ref}, '#{format}')"
+          end
+        end
       end
     end
   end

data/lib/lcp_ruby/metadata/configuration_validator.rb

@@ -5617,7 +5617,7 @@ module LcpRuby
           validate_workflow_graph_widget(page, zone, widget)
         end
 
-        if widget["link_to"] && widget_type != "text"
+        if widget["link_to"] && !LcpRuby::Metadata::ZoneDefinition::I18N_TEXT_WIDGET_TYPES.include?(widget_type)
           unless all_slugs.include?(widget["link_to"])
             @warnings << "Page '#{page.name}', zone '#{zone.name}': widget link_to '#{widget["link_to"]}' " \
                          "does not match any known page slug"
@@ -5858,8 +5858,8 @@ module LcpRuby
 
         model_name = resolve_zone_model(page, zone)
         unless model_name
-          if zone.widget? && zone.widget["type"] == "text"
-            @warnings << "Page '#{page.name}', zone '#{zone.name}': text widget has scope but no model context"
+          if zone.widget? && LcpRuby::Metadata::ZoneDefinition::I18N_TEXT_WIDGET_TYPES.include?(zone.widget["type"])
+            @warnings << "Page '#{page.name}', zone '#{zone.name}': #{zone.widget["type"]} widget has scope but no model context"
           end
           return
         end
@@ -5876,8 +5876,8 @@ module LcpRuby
 
         model_name = resolve_zone_model(page, zone)
         unless model_name
-          if zone.widget? && zone.widget["type"] == "text"
-            @warnings << "Page '#{page.name}', zone '#{zone.name}': text widget has default_scope but no model context"
+          if zone.widget? && LcpRuby::Metadata::ZoneDefinition::I18N_TEXT_WIDGET_TYPES.include?(zone.widget["type"])
+            @warnings << "Page '#{page.name}', zone '#{zone.name}': #{zone.widget["type"]} widget has default_scope but no model context"
           end
           return
         end

data/lib/lcp_ruby/metadata/field_path.rb

@@ -0,0 +1,57 @@
+module LcpRuby
+  module Metadata
+    # Walks a dot-path field reference through metadata to find the terminal
+    # field definition and its owning model name.
+    #
+    # Used by view templates and helpers that need to humanize/route an enum
+    # value coming from a cross-model field path like `"contact.tier"` or
+    # `"order.customer.status"`. The terminal model_name is the i18n
+    # namespace under which `enum_label_for` should look up labels
+    # (`lcp_ruby.enums.<model>.<field>.*`).
+    #
+    # Returns `[FieldDefinition, model_name]` or `[nil, nil]` when:
+    #   - model_def is nil or path is blank
+    #   - any intermediate segment is missing / non-LCP
+    #   - an intermediate segment is a collection (`has_many`) and
+    #     `through_collections:` is false (the default)
+    #   - any segment cannot be loaded from the metadata loader
+    #
+    # `through_collections:` — when false (default), an intermediate
+    # `has_many` aborts the walk (`[nil, nil]`). This is what
+    # `LabelMethodBuilder` wants: a `to_label` walks a singular chain with
+    # `public_send`, so a collection mid-path can't yield a scalar value.
+    # Display surfaces (index tables, cards, tree) pass `true`: a has_many
+    # terminal enum (e.g. `contacts.tier`) resolves to an Array of values
+    # that the field def still humanizes element-wise (issue #18). The
+    # terminal field def is identical either way — the flag only governs
+    # whether a collection mid-path is allowed.
+    #
+    # Callers treat `[nil, nil]` as "no metadata available — pass through".
+    module FieldPath
+      module_function
+
+      def terminal(model_def, path, through_collections: false)
+        return [ nil, nil ] if model_def.nil?
+
+        path_str = path.to_s
+        return [ nil, nil ] if path_str.empty?
+
+        parts = path_str.split(".")
+        current_def = model_def
+
+        parts[0..-2].each do |segment|
+          assoc = current_def.associations.find { |a| a.name == segment }
+          return [ nil, nil ] unless assoc&.lcp_model?
+          return [ nil, nil ] unless through_collections || assoc.singular?
+
+          current_def = LcpRuby.loader.model_definition(assoc.target_model)
+          return [ nil, nil ] if current_def.nil?
+        end
+
+        [ current_def.field(parts.last), current_def.name ]
+      rescue MetadataError
+        [ nil, nil ]
+      end
+    end
+  end
+end

data/lib/lcp_ruby/metadata/loader.rb

@@ -701,16 +701,42 @@ module LcpRuby
         end
 
         data = YAML.safe_load_file(menu_file, permitted_classes: [ Symbol, Regexp ])
-        return unless data
+
+        # An empty / comment-only menu.yml parses to nil. In :strict mode (no
+        # auto-append) that is an empty nav bar with no signal — fail loud,
+        # same as a present-but-content-less menu below.
+        if data.nil?
+          raise_strict_empty_menu! if menu_mode == :strict
+          return
+        end
 
         @menu_definition = MenuDefinition.from_hash(data)
         validate_menu_references!
 
+        # :strict mode is authoritative and does NOT auto-populate from view
+        # groups, so a menu.yml that declares no navigation — neither top_menu
+        # nor sidebar_menu, an empty list (`top_menu: []`), or a `responsive:`-
+        # only block — would boot with an empty nav bar and no signal. `blank?`
+        # catches nil AND []. In :auto mode this is fine: auto-append fills
+        # top_menu below.
+        if menu_mode == :strict &&
+           @menu_definition.top_menu.blank? && @menu_definition.sidebar_menu.blank?
+          raise_strict_empty_menu!
+        end
+
         auto_append_unreferenced_view_groups! if menu_mode == :auto
       rescue Psych::SyntaxError => e
         raise MetadataError, "YAML syntax error in #{menu_file}: #{e.message}"
       end
 
+      def raise_strict_empty_menu!
+        raise MetadataError,
+          "menu.yml declares no navigation (neither top_menu nor sidebar_menu) but " \
+          "menu_mode is :strict, which does not auto-populate the menu from view groups — " \
+          "the app would render with an empty navigation bar. Add a top_menu or sidebar_menu, " \
+          "or switch to menu_mode :auto."
+      end
+
       def load_theme
         theme_file = %w[theme.yml theme.yaml].map { |f| base_path.join(f) }.find(&:exist?)
         return unless theme_file
@@ -774,6 +800,12 @@ module LcpRuby
 
       def validate_strict_mode!
         @view_group_definitions.each_value do |vg|
+          # Auto-created VGs (no author-written file) inherit a default
+          # `{ menu: "main", position: X }` for `:auto` mode placement.
+          # In `:strict` mode that placement is meaningless (menu.yml is
+          # authoritative) and there's no file for the configurator to
+          # edit — skip them rather than forcing per-VG workaround files.
+          next if vg.source_type == "auto"
           next unless vg.navigable?
 
           nav = vg.navigation_config

data/lib/lcp_ruby/metadata/menu_definition.rb

@@ -1,6 +1,14 @@
 module LcpRuby
   module Metadata
     class MenuDefinition
+      # Every recognized top-level key in menu.yml. Mirrors
+      # `lib/lcp_ruby/schemas/menu.json` (`additionalProperties: false`).
+      # `validate!` rejects anything else so a typo (`top_men:`,
+      # `side_menu:`) fails fast at boot instead of silently dropping the
+      # whole menu — the same footgun MenuItem.reject_unknown_keys! guards
+      # against at the item level.
+      KNOWN_TOP_LEVEL_KEYS = %w[top_menu sidebar_menu responsive].freeze
+
       attr_reader :top_menu, :sidebar_menu, :raw_hash, :responsive
 
       # Class-level flag so the auto-inject info log fires once per Ruby
@@ -90,9 +98,31 @@ module LcpRuby
       end
 
       def validate!
-        unless has_top_menu? || has_sidebar_menu?
-          raise MetadataError, "Menu definition must have at least one of: top_menu, sidebar_menu"
+        # Both menus nil is a valid state: a fresh-install menu.yml carries
+        # only `# lcp:menu` insertion markers (or a `responsive:`-only block),
+        # and in :auto mode auto-append populates top_menu from view groups.
+        # A truly empty/comment-only file never reaches here (the loader
+        # returns before `from_hash` when YAML parses to nil).
+        #
+        # But an empty file and a *typo'd* one (`top_men:`/`side_menu:`) used
+        # to be indistinguishable — both parse to both-nil and would silently
+        # drop a fully-configured menu. Reject unknown top-level keys (with a
+        # DidYouMean hint) so the typo fails fast; known-key-only files
+        # (including the marker-only fresh install) pass through.
+        return if @raw_hash.nil?
+
+        unknown = @raw_hash.keys.map(&:to_s).reject { |k| KNOWN_TOP_LEVEL_KEYS.include?(k) }
+        return if unknown.empty?
+
+        hint = ""
+        if unknown.size == 1
+          suggestion = DidYouMean::SpellChecker.new(dictionary: KNOWN_TOP_LEVEL_KEYS).correct(unknown.first).first
+          hint = " Did you mean '#{suggestion}:'?" if suggestion
         end
+
+        raise MetadataError,
+              "Menu has unknown top-level key(s): #{unknown.map { |k| "'#{k}'" }.join(', ')}. " \
+              "Valid keys: #{KNOWN_TOP_LEVEL_KEYS.join(', ')}.#{hint}"
       end
 
       def log_auto_inject_sidebar_toggle

data/lib/lcp_ruby/metadata/menu_item.rb

@@ -104,10 +104,13 @@ module LcpRuby
       # Build a MenuItem from a parsed YAML hash.
       # Detection priority: separator > view_group > children > url|presenter
       # Existing call style preserved: `from_hash("view_group" => "x", ...)`
-      # works because the method takes a single positional Hash. Any
-      # incoming `:type` / `"type"` key is silently ignored — type is
-      # always re-derived from the destination keys present (so merging
-      # `to_kwargs` with provider returns works without colliding on type).
+      # works because the method takes a single positional Hash. `type` is
+      # NOT an accepted key here — reject_unknown_keys! (in the shared
+      # build_from_hash) rejects it, matching the JSON schema, which has no
+      # `type` property. Type is always re-derived from the destination keys
+      # present. Provider returns that echo a `type:` reach build_from_hash via
+      # `from_hash_at_depth` (not this method), but LayoutHelper#filter_provider_keys
+      # strips it upstream (PROVIDER_STRIP_KEYS) so the round-trip still works.
       def self.from_hash(hash)
         build_from_hash(hash, 0)
       end
@@ -127,6 +130,31 @@ module LcpRuby
       # on top in PR #2b's MenuItem extensions.
       DESTINATION_KEYS = %w[url presenter view_group provider children separator sidebar_toggle].freeze
 
+      # Every key the MenuItem parser knows about. Anything outside this
+      # set is rejected at boot — the schema also has `additionalProperties:
+      # false` on menu_item but that runs only via `lcp_ruby:validate`, not
+      # at `rails s` time. Parse-time rejection turns silent typos
+      # (`section: "Marketplace"` instead of `label:`) into immediate boot
+      # errors rather than icon-only menu items the configurator hunts for
+      # an hour. Keys starting with `_` are reserved for internal DSL
+      # annotations (`_label_source_loc`, `_aria_label_source_loc`) and
+      # allowed without enumeration.
+      # NOTE: `type` is intentionally NOT here. It's an internal kwarg
+      # (derived from the destination key, round-tripped via `to_kwargs` →
+      # `new` at the Ruby level, never read from author YAML). Listing it
+      # would let `type:` pass this parse-time check while the JSON schema
+      # (`additionalProperties: false`, no `type` property) rejects it under
+      # `lcp_ruby:validate` — two different verdicts for the same file.
+      KNOWN_KEYS = %w[
+        url presenter view_group provider children separator sidebar_toggle widget
+        method alias action defaults
+        render render_panel panel_provider options
+        label label_key icon aria_label aria_label_key
+        visible_when disable_when position badge
+        responsive_priority pin hide_below show_below collapse_label_below
+        _label_source_loc _aria_label_source_loc
+      ].freeze
+
       # Keys allowed on a `:separator` item. Anything else is a configurator
       # footgun — a separator with a `label:` is invisible (no element renders
       # it); a separator with `disable_when:` makes no sense (nothing to
@@ -147,6 +175,8 @@ module LcpRuby
       def self.build_from_hash(hash, depth)
         hash = HashUtils.stringify_deep(hash)
 
+        reject_unknown_keys!(hash)
+
         # Destination mutex (B1, simple form): exactly one of the
         # destination keys may be present. (PR #2a doesn't parse
         # `provider:` — schema rejects unknown keys via
@@ -338,6 +368,25 @@ module LcpRuby
       end
       private_class_method :build_from_hash
 
+      # Raise on any key not in KNOWN_KEYS (keys prefixed `_` pass through
+      # as internal DSL annotations). When a single unknown key fuzzy-
+      # matches a known one (e.g. `section:` → `label:`), include the
+      # suggestion in the message — those typos are the common case.
+      def self.reject_unknown_keys!(hash)
+        unknown = hash.keys.reject { |k| KNOWN_KEYS.include?(k) || k.to_s.start_with?("_") }
+        return if unknown.empty?
+
+        hint = ""
+        if unknown.size == 1
+          suggestion = DidYouMean::SpellChecker.new(dictionary: KNOWN_KEYS).correct(unknown.first).first
+          hint = " Did you mean '#{suggestion}:'?" if suggestion
+        end
+
+        raise MetadataError,
+              "Menu item has unknown key(s): #{unknown.map { |k| "'#{k}'" }.join(', ')}.#{hint}"
+      end
+      private_class_method :reject_unknown_keys!
+
       # Resolve label with i18n support.
       # Priority: explicit `label: false` short-circuit > label_key >
       # explicit label > view_group's primary presenter resolved_label >

data/lib/lcp_ruby/metadata/model_definition.rb

@@ -368,6 +368,15 @@ module LcpRuby
         features = []
         features << "enums" if enum_fields.any?(&:virtual?)
         features << "service_accessors" if fields.any?(&:service_accessor?)
+        # Auto-register the AR :json attribute for json-backed fields. The
+        # regular Builder always runs JsonTypeApplicator, but the bind_to path
+        # skips the Builder — so without this a bind_to model's json column is
+        # left to adapter reflection, and MariaDB (which reports JSON as
+        # longtext) returns a raw String instead of a parsed Hash, breaking
+        # json_field service accessors and json_valid() inserts.
+        features << "json_types" if fields.any? { |f| !f.array? && f.column_type == LcpRuby.json_column_type }
+        # Likewise array fields, which are json-backed on non-PostgreSQL adapters.
+        features << "array_types" if fields.any?(&:array?)
         # Auto-enable defaults so bind_to models get the same default-on-create
         # semantics as dynamic LCP models. Without this, fields like
         # `theme: enum, default: auto, source: json_field` on a bind_to model

data/lib/lcp_ruby/metadata/zone_definition.rb

@@ -2,7 +2,12 @@ module LcpRuby
   module Metadata
     class ZoneDefinition
       VALID_AREAS = %w[main tabs sidebar below].freeze
-      VALID_WIDGET_TYPES = %w[kpi_card text list chart embed workflow_graph approval_status].freeze
+      VALID_WIDGET_TYPES = %w[kpi_card text rich_text markdown list chart embed workflow_graph approval_status].freeze
+
+      # i18n-string widget types — neither depends on a model scope, all
+      # require `content_key`, none are valid targets for `depends_on`
+      # (no data dependency to refresh on).
+      I18N_TEXT_WIDGET_TYPES = %w[text rich_text markdown].freeze
       VALID_CHART_TYPES = %w[line bar column pie donut area].freeze
       PIE_CHART_TYPES = %w[pie donut].freeze
       VALID_CHART_LEGEND_STRINGS = %w[auto top bottom left right].freeze
@@ -281,8 +286,10 @@ module LcpRuby
             raise MetadataError, "Zone '#{@name}' kpi_card widget requires 'model'" unless @widget["model"]
             raise MetadataError, "Zone '#{@name}' kpi_card widget requires 'aggregate'" unless @widget["aggregate"]
           end
-        when "text"
-          raise MetadataError, "Zone '#{@name}' text widget requires 'content_key'" unless @widget["content_key"]
+        when "text", "rich_text", "markdown"
+          unless @widget["content_key"]
+            raise MetadataError, "Zone '#{@name}' #{widget_type} widget requires 'content_key'"
+          end
         when "list"
           raise MetadataError, "Zone '#{@name}' list widget requires 'model'" unless @widget["model"]
         when "chart"
@@ -372,8 +379,8 @@ module LcpRuby
       def validate_depends_on!
         return unless @depends_on
 
-        if widget? && @widget && @widget["type"] == "text"
-          raise MetadataError, "Zone '#{@name}': depends_on is not valid on text widget zones"
+        if widget? && @widget && I18N_TEXT_WIDGET_TYPES.include?(@widget["type"])
+          raise MetadataError, "Zone '#{@name}': depends_on is not valid on #{@widget["type"]} widget zones"
         end
       end
 

data/lib/lcp_ruby/metrics/json_query.rb

@@ -18,6 +18,11 @@ module LcpRuby
 
         if LcpRuby.postgresql?
           "#{quoted_table}.#{quoted_column} ->> #{conn.quote(key)}"
+        elsif LcpRuby.mysql?
+          # MySQL/MariaDB JSON_EXTRACT keeps JSON quotes around scalars;
+          # JSON_UNQUOTE strips them so comparisons match the raw value. SQLite's
+          # json_extract already returns the bare scalar (no JSON_UNQUOTE there).
+          "JSON_UNQUOTE(JSON_EXTRACT(#{quoted_table}.#{quoted_column}, #{conn.quote("$.#{key}")}))"
         else
           "JSON_EXTRACT(#{quoted_table}.#{quoted_column}, #{conn.quote("$.#{key}")})"
         end

data/lib/lcp_ruby/model_factory/builder.rb

@@ -12,6 +12,7 @@ module LcpRuby
         apply_table_name(model_class)
         apply_enums(model_class)
         apply_array_types(model_class)
+        apply_json_types(model_class)
         apply_validations(model_class)
         apply_inherited_parent_validator(model_class)
         apply_transforms(model_class)
@@ -85,6 +86,10 @@ module LcpRuby
         ArrayTypeApplicator.new(model_class, model_definition).apply!
       end
 
+      def apply_json_types(model_class)
+        JsonTypeApplicator.new(model_class, model_definition).apply!
+      end
+
       def apply_validations(model_class)
         ValidationApplicator.new(model_class, model_definition).apply!
       end

data/lib/lcp_ruby/model_factory/json_type_applicator.rb

@@ -0,0 +1,35 @@
+module LcpRuby
+  module ModelFactory
+    # Registers an explicit ActiveRecord `:json` attribute type for json-backed
+    # fields.
+    #
+    # PostgreSQL (jsonb) and SQLite (json) are reflected correctly by their
+    # adapters, but MariaDB reports JSON columns as `longtext` — so without an
+    # explicit type ActiveRecord treats the column as text and serializes a Hash
+    # via Ruby's `Hash#to_s` (`{"k"=>"v"}`). That is invalid JSON and violates
+    # MariaDB's implicit `json_valid()` CHECK constraint on insert. Declaring the
+    # attribute type makes Hash<->JSON (de)serialization adapter-agnostic.
+    #
+    # Array fields are also json-backed on non-PostgreSQL adapters, but
+    # ArrayTypeApplicator already registers their own ArrayType, so they are
+    # excluded here. The custom_data column (custom fields) is handled separately
+    # in CustomFields::Applicator since it is not part of `model_definition.fields`.
+    class JsonTypeApplicator
+      def initialize(model_class, model_definition)
+        @model_class = model_class
+        @model_definition = model_definition
+      end
+
+      def apply!
+        @model_definition.fields.each do |field|
+          next if field.array?
+          next unless field.column_type == LcpRuby.json_column_type
+
+          options = {}
+          options[:default] = field.default unless field.default.nil?
+          @model_class.attribute field.name.to_sym, :json, **options
+        end
+      end
+    end
+  end
+end

data/lib/lcp_ruby/model_factory/label_method_builder.rb

@@ -55,26 +55,10 @@ module LcpRuby
 
         # Walks the dot-path through metadata to locate the terminal field
         # definition. Returns [FieldDefinition, model_name] tuple, or
-        # [nil, nil] when any segment cannot be resolved (no model_def,
-        # non-LCP target, missing association). Callers treat [nil, nil]
-        # as "no enum routing — pass value through unchanged".
+        # [nil, nil] when any segment cannot be resolved. Callers treat
+        # [nil, nil] as "no enum routing — pass value through unchanged".
         def resolve_terminal(model_def, parts)
-          return [ nil, nil ] if model_def.nil?
-          return [ nil, nil ] if parts.empty?
-
-          current_def = model_def
-          parts[0..-2].each do |segment|
-            assoc = current_def.associations.find { |a| a.name == segment.to_s }
-            return [ nil, nil ] unless assoc&.singular? && assoc.lcp_model?
-
-            current_def = LcpRuby.loader.model_definition(assoc.target_model)
-            return [ nil, nil ] if current_def.nil?
-          end
-
-          terminal = parts.last.to_s
-          [ current_def.field(terminal), current_def.name ]
-        rescue MetadataError
-          [ nil, nil ]
+          Metadata::FieldPath.terminal(model_def, parts.join("."))
         end
       end
     end

data/lib/lcp_ruby/model_factory/schema_manager.rb

@@ -10,6 +10,13 @@ module LcpRuby
       MANAGED_APPLY_MUTEX = Mutex.new
       private_constant :MANAGED_APPLY_MUTEX
 
+      # Default precision/scale for a `decimal` field that declares neither
+      # (via type nor field column_options). Without this MySQL/MariaDB
+      # truncates to DECIMAL(10,0). 16 total digits with 4 fractional covers
+      # money and rate values with headroom; authors override per field/type.
+      DEFAULT_DECIMAL_PRECISION = 16
+      DEFAULT_DECIMAL_SCALE = 4
+
       attr_reader :model_definition
 
       # `mode` is :full (default) for dynamic models — runs create_table!,
@@ -637,6 +644,18 @@ module LcpRuby
         options[:precision] = col_opts[:precision] if col_opts[:precision]
         options[:scale] = col_opts[:scale] if col_opts[:scale]
         options[:null] = col_opts[:null] if col_opts.key?(:null)
+
+        # A bare `decimal` truncates on MySQL/MariaDB: their DECIMAL defaults to
+        # (10,0) (scale 0), so 19.99 stores as 19. PostgreSQL (unlimited numeric)
+        # and SQLite keep the value, so only MySQL needs a default — scope it there
+        # to avoid narrowing PG's unlimited precision. Authors override via type or
+        # field column_options (e.g. the `currency` type's 12,2); a scale-only
+        # override is preserved (fill just the missing precision).
+        if field.column_type == :decimal && LcpRuby.mysql? && !options.key?(:precision)
+          options[:precision] = DEFAULT_DECIMAL_PRECISION
+          options[:scale] = DEFAULT_DECIMAL_SCALE unless options.key?(:scale)
+        end
+
         if field.array?
           if LcpRuby.postgresql?
             options[:array] = true

data/lib/lcp_ruby/pages/definition_validator.rb

@@ -16,6 +16,19 @@ module LcpRuby
           errors_list << "missing 'name'" unless hash["name"].present?
           errors_list << "missing 'zones' or empty zones array" unless hash["zones"].is_a?(Array) && hash["zones"].any?
 
+          # Security: the rich_text widget renders its content via `raw()`
+          # (unsanitized HTML). That is acceptable for YAML-authored pages
+          # (code-reviewed, deployed with the app), but a DB-defined page is
+          # end-user-editable through the platform UI — an attacker-controlled
+          # `content_key` would round-trip through `I18n.t(..., default:)` and
+          # render verbatim, a stored-XSS vector. Forbid it here; the markdown
+          # widget (sanitized) covers the same authoring need.
+          if hash["zones"].is_a?(Array) &&
+             hash["zones"].any? { |z| z.is_a?(Hash) && z["widget"].is_a?(Hash) && z["widget"]["type"] == "rich_text" }
+            errors_list << "rich_text widget is not allowed in a database-defined page " \
+                           "(it renders unsanitized HTML); use the markdown widget instead"
+          end
+
           if errors_list.empty?
             begin
               LcpRuby::Metadata::PageDefinition.from_hash(hash)