browsable 0.1.0 → 0.2.0.pre.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8fbd1c4932fbe740cf4d0560fbeb4738c51c3129efdb3c7a3e48b86bc47a743d
-  data.tar.gz: f6d98e30cc6e54c6c5fe643dbf3eada45a08af171e2632561c8d91f1b49c74b6
+  metadata.gz: 9484cb575cb9dec80631552a5fad005ad12c8cec353c61d139d9a299072a4f05
+  data.tar.gz: 5c1c08df4256e57348aa46c381e81a2bc628cc2bf4cd3ba8a808eef56c67b425
 SHA512:
-  metadata.gz: 5f21b860c35d76a1011a2152a40ab9cbb232e7378d93f61fec3c75f4cea1cd5b69829ea4e77ffd2ae5f7406334e436d4997a17ad41fb769f253362e579d5baa6
-  data.tar.gz: 9e996ecdb1dded29f78c2b30c3b5c37178bd7c339800680bca51947934c6addf965534d09a1b3b03b5358b2134b542b056eab354b9582ba9864dc2dc806f57d7
+  metadata.gz: 97f7dff9786a2b8d697e7043c8a8f61000ef5a44e3e7826e2c9e5de1639b370a7e3908bb8581813dbefdfeda304bfb561f232d287f4c82adaae58782b36d6f90
+  data.tar.gz: d2d0002312062a738b2179126c32bf958a9997c722d7ec46903de6b9e8af535a2ebe2847c09f56873d330a75e0d0c9fedabc2d48bbbbb71731b33c3223d6667b

data/CHANGELOG.md

@@ -7,6 +7,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added — v0.2: Runtime response auditing
+
+- **Runtime mode.** A Rack middleware (`Browsable::Middleware`) observes HTML
+  responses during a test run, records the controller#action, the effective
+  `allow_browser` policy, and every asset the response loaded, into a
+  thread-safe `Browsable::AuditLog`. Test-suite integration is opt-in via a
+  single `require`: `browsable/rspec` or `browsable/minitest`.
+- **End-of-suite analysis (`Browsable::TestReport`).** The middleware records;
+  it never analyzes. At suite end, stylelint and eslint are invoked **once**
+  each over the deduplicated union of every asset loaded across the suite —
+  not per request. A 500-spec suite that loads 10 unique CSS files spawns
+  exactly one stylelint process.
+- **Per-endpoint policy resolution (`Browsable::PolicyResolver`).** Walks the
+  controller's ancestor chain, applies each `allow_browser` call's
+  `only:`/`except:` filter to the action, and the last matching call wins —
+  matching Rails' filter-callback semantics.
+- **Asset URL → on-disk path resolution (`Browsable::AssetResolver`).** Strips
+  digests, honors the configured asset host, and walks Propshaft and Sprockets
+  search paths with a public/ fallback. The ≥95% resolution bar is enforced by
+  the new `bin/benchmark-asset-resolution` script.
+- **`browsable replay PATH`** — re-renders a JSON audit dump through any
+  formatter, suitable for emitting GitHub annotations in CI from a saved
+  test-suite report.
+- **Dependencies.** Adds `nokogiri` (response HTML parsing), `concurrent-ruby`
+  (thread-safe `AuditLog`), and `rack` (Rack body handling) as runtime gem
+  dependencies. **The user's Rails app still has no `package.json` and no
+  `node_modules`.** Runtime mode shells out to the same globally-installed
+  `stylelint` and `eslint` as static mode.
+
+### Unchanged
+
+- Static `browsable audit` and the v0.1 CLI surface are fully backwards
+  compatible. Runtime mode is purely additive.
+
 ## [0.1.0]
 
 - Initial release.

data/README.md

@@ -1,32 +1,56 @@
-# browsable
+<div align="center">
 
-**Rails-aware browser-compatibility auditing for your frontend code.**
+# Browsable
 
-`browsable` audits a Rails application's CSS, HTML, ERB, and JavaScript and
-reports which browsers can actually render and run it — then compares that
-against the project's declared `allow_browser` policy.
+**Rails-aware browser-compatibility auditing for your frontend.**
 
-The name is a play on Rails 8's `allow_browser` controller API. Instead of
-*declaring* which browsers you allow, `browsable` tells you which browsers your
-code is actually **browsable by**.
+Find out which browsers your Rails app is actually *browsable by* — before your users do.
 
-> This is the core gem of the [`browsable` monorepo](https://github.com/romanhood/browsable).
-> See also [`browsable-lsp`](../browsable-lsp) (editor diagnostics) and
-> [`browsable.nvim`](../browsable.nvim) (Neovim plugin).
+[![Gem Version](https://img.shields.io/gem/v/browsable.svg)](https://rubygems.org/gems/browsable)
+[![CI](https://github.com/romanhood/browsable/actions/workflows/ci.yml/badge.svg)](https://github.com/romanhood/browsable/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](../LICENSE)
+[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%203.2-CC342D.svg)](https://www.ruby-lang.org/)
 
-## Philosophy
+</div>
 
-- **The gem owns no parsing or compat-data logic.** It shells out to mature
-  tools that already do this well — [Herb](https://github.com/marcoroth/herb)
-  for ERB, [stylelint](https://stylelint.io/) for CSS,
-  [eslint-plugin-compat](https://github.com/amilajack/eslint-plugin-compat) for
-  JavaScript. The gem's value is the Rails-aware glue.
-- **No `package.json`, no `node_modules` in your Rails repo.** The external
-  tools live globally on your machine. `browsable doctor` detects them and
-  guides installation.
-- **It reports, it doesn't decide.** It tells you what your code requires and
-  what your config permits. You decide what to do.
-- **Configuration is optional.** `browsable` runs with zero config.
+---
+
+Browsable audits a Rails application's CSS, HTML, ERB, and JavaScript and reports which browsers can actually render and run it — then compares the answer against the `allow_browser` policy you've declared.
+
+The name is a play on Rails 8's `allow_browser` controller API. Instead of *declaring* which browsers you allow, `browsable` tells you which browsers your code is actually browsable by.
+
+> 📦 This is the core gem of the [`browsable` monorepo][monorepo].
+> See also [`browsable-lsp`][lsp] for editor diagnostics and [`browsable.nvim`][nvim] for Neovim.
+
+## Table of contents
+
+- [Why Browsable?](#why-browsable)
+- [Installation](#installation)
+- [Quick start](#quick-start)
+- [System dependencies](#system-dependencies)
+- [CLI reference](#cli-reference)
+- [Configuration](#configuration)
+- [How it works](#how-it-works)
+- [Runtime auditing (test-suite mode)](#runtime-auditing-test-suite-mode)
+- [Per-controller policies](#per-controller-and-per-action-policies)
+- [Suggested policy fixes](#suggested-allow_browser-fix)
+- [Rake tasks](#rake-tasks)
+- [Contributing](#contributing)
+- [License](#license)
+
+## Why Browsable?
+
+Rails 8 made browser support a first-class concern with `allow_browser`. But the framework has no opinion on whether your CSS actually works in the browsers you allowed. You can declare `allow_browser :modern` and silently ship `:has()` selectors that break in Safari 15. There was no tool that closed that loop — until now.
+
+Browsable closes it by:
+
+- 🔍 **Reading your `allow_browser` policy** straight from `ApplicationController`
+- 🎯 **Translating it** into a precise browserslist query
+- 📂 **Discovering** your stylesheets, views, JavaScript, and importmap pins
+- ✅ **Auditing each** against best-in-class compat databases (MDN BCD, caniuse)
+- 📋 **Reporting** by file, with exact lines and suggested fixes
+
+No `package.json`. No `node_modules`. No build-system pollution in your Rails repo.
 
 ## Installation
 
@@ -44,49 +68,84 @@ Then `bundle install`. Or install it standalone:
 gem install browsable
 ```
 
-## System dependencies — the `doctor` workflow
+> 💡 **Heads up:** Browsable shells out to `stylelint` and `eslint` for CSS and JS analysis. These live globally on your machine — *not* in your Rails repo. Run `browsable doctor` to check and install them.
 
-`browsable` shells out to `stylelint` and `eslint` (and the `node` runtime they
-need). Those are *not* gem dependencies — they live globally on your machine.
-Check what you have:
+## Quick start
 
 ```bash
-bundle exec browsable doctor
+bundle exec browsable audit
 ```
 
-`doctor` prints, for each missing tool, the exact command to install it. Let it
-do the work for you:
+That's it. With zero configuration, Browsable will:
+
+1. **Read** `ApplicationController`'s `allow_browser` policy to learn your target
+2. **Discover** your stylesheets, views, JavaScript, and importmap pins
+3. **Audit** each against that target
+4. **Report** the findings, grouped by file
+
+### Example output
 
-```bash
-bundle exec browsable doctor --fix   # installs missing tools via brew / npm
 ```
+$ bundle exec browsable audit
 
-ERB and HTML analysis needs nothing extra — the `herb` gem is a dependency and
-runs in-process.
+✓ Target inferred from ApplicationController.allow_browser :modern
+  → chrome 120, edge 120, firefox 121, safari 17.2, opera 106
 
-## Quick start
+⚠ app/assets/stylesheets/cards.css
+    42:3   :has() selector requires Safari 15.4+ (policy allows 17.2 ✓)
+    87:5   @container query requires Firefox 110+ (policy allows 121 ✓)
+
+✗ app/views/legacy/embed.html.erb
+    14:22  <dialog> element requires Safari 15.4+, but the LegacyController
+           policy allows Safari 12.0
+
+Browser policies (2 found)
+    ApplicationController             :modern
+    LegacyController                  { safari: 12, chrome: 60 }  (only: embed)
+
+1 error, 0 warnings — exit 1
+```
+
+## System dependencies
+
+Browsable shells out to a few external tools that live globally on your machine:
+
+| Tool | Purpose | Required? |
+| --- | --- | --- |
+| `node` | JavaScript runtime for `stylelint` & `eslint` | Yes |
+| `stylelint` | CSS compatibility analysis | Yes (CSS audits) |
+| `eslint` + `eslint-plugin-compat` | JavaScript compatibility analysis | Yes (JS audits) |
+| `browserslist` | Live resolution of `defaults` queries | Optional |
+| `herb` | ERB parsing | Bundled (gem dep) |
+
+### The `doctor` workflow
 
 ```bash
-bundle exec browsable audit
+bundle exec browsable doctor
 ```
 
-That's it. With no configuration, `browsable`:
+For each missing tool, `doctor` prints the exact command to install it. Or let it do the work:
 
-1. reads `ApplicationController`'s `allow_browser` policy to learn your target,
-2. discovers your stylesheets, views, JavaScript, and importmap pins,
-3. audits each against that target, and
-4. prints a report grouped by file.
+```bash
+bundle exec browsable doctor --fix
+```
+
+This installs missing tools via `brew` or `npm` — opt-in, never automatic.
 
 ## CLI reference
 
+### Commands
+
 | Command | Purpose |
 | --- | --- |
-| `browsable` / `browsable audit [PATH]` | Full project audit |
+| `browsable` *(or `browsable audit`)* | Full project audit |
+| `browsable audit [PATH]` | Audit a specific directory |
+| `browsable check FILE [FILE...]` | Audit specific files *(used by editors)* |
 | `browsable doctor` | Check system dependencies |
-| `browsable doctor --fix` | Install missing dependencies (opt-in) |
-| `browsable check FILE [FILE...]` | Audit specific files (used by editors) |
+| `browsable doctor --fix` | Install missing dependencies |
 | `browsable target [PATH]` | Show the inferred browser-support target |
-| `browsable init` | Generate a `.browsable.yml` (non-Rails projects) |
+| `browsable replay PATH` | Reformat a JSON audit dump *(test-suite mode → GitHub annotations)* |
+| `browsable init` | Generate `.browsable.yml` *(non-Rails projects)* |
 | `browsable version` | Print the version |
 
 ### Flags
@@ -94,147 +153,281 @@ That's it. With no configuration, `browsable`:
 | Flag | Effect |
 | --- | --- |
 | `--target QUERY` | Override the inferred browserslist query |
-| `--json` | Emit findings as JSON (shortcut for `--format json`) |
+| `--json` | Emit findings as JSON *(shortcut for `--format json`)* |
 | `--format human\|json\|github` | Choose the output formatter |
-| `--no-build` | Scan only what is on disk (`browsable` never builds assets itself) |
-| `--include GLOB` | Add a path glob to the audit (repeatable) |
-| `--exclude GLOB` | Exclude a path glob (repeatable) |
+| `--no-build` | Scan only what's on disk *(Browsable never builds assets itself)* |
+| `--include GLOB` | Add a path glob *(repeatable)* |
+| `--exclude GLOB` | Exclude a path glob *(repeatable)* |
 | `--fail-on warning\|error` | Exit-code policy for CI |
 | `--config PATH` | Override the config file location |
 
-The `--json` output is the universal interface: the LSP server (and any future
-MCP server) consume exactly that structure. The human and GitHub formatters are
-just alternate presentations of the same data.
+> 💡 The `--json` output is the universal interface. The LSP server and any future MCP server consume that exact structure. The `human` and `github` formatters are just alternate presentations of the same data.
 
-## Rails generator
+## Configuration
+
+**Browsable needs no config file.** Configuration is for overrides only.
+
+When a file is present, it's discovered in this order:
+
+1. The path passed to `--config`
+2. `config/browsable.yml` *(preferred in Rails apps)*
+3. `.browsable.yml` in the working directory
+
+Resolution precedence (highest wins):
+
+```
+CLI flags  →  config file  →  inferred Rails config  →  gem defaults
+```
+
+### Generating a config file
 
 ```bash
 rails g browsable:install
 ```
 
-This writes a fully-commented `config/browsable.yml` — every option present,
-commented out, set to its default. It is a self-documenting reference: uncomment
-a line to override it. Flags: `--minimal`, `--target QUERY`, `--force`.
+This writes a fully-commented `config/browsable.yml` — every option present, commented out, set to its default. It's a self-documenting reference: uncomment a line to override it.
+
+| Flag | Effect |
+| --- | --- |
+| `--minimal` | Section headers only, no option reference |
+| `--target QUERY` | Pre-populate the target |
+| `--force` | Overwrite an existing config |
 
 Non-Rails projects use `browsable init`, which writes `.browsable.yml` instead.
 
-## Configuration
+## How it works
 
-`browsable` needs no config file. When one is present it is discovered in this
-order:
+### The inference chain
 
-1. the path passed to `--config`
-2. `config/browsable.yml` (preferred in Rails apps)
-3. `.browsable.yml` in the working directory
+```
+   ApplicationController.allow_browser           →    Target
+       :modern                                        chrome 120, safari 17.2, ...
+                                                          │
+                                                          ▼
+   config/importmap.rb ─┐                              Sources
+   app/assets/**       ─┼─→   discovered files   ─→     │
+   app/views/**        ─┤                               │
+   app/javascript/**   ─┘                               ▼
+                                                     Analyzers
+                                                        │
+                                              CSS  → stylelint
+                                              ERB  → Herb + MDN BCD
+                                              HTML → Herb + MDN BCD
+                                              JS   → eslint + eslint-plugin-compat
+                                                        │
+                                                        ▼
+                                                     Report → Formatter
+```
+
+Browsable's job is the **glue between Rails-land and browserslist-land**. It reads `allow_browser :modern`, expands it to concrete browser versions, configures stylelint and eslint with that target, and runs Herb against a bundled MDN browser-compat-data snapshot for ERB and HTML.
+
+### Partial `allow_browser` policies
+
+If your `allow_browser` policy is a hash that pins only some browsers — say `versions: { safari: 16.4, firefox: 121 }` — Rails leaves every browser you *don't* list allowed at any version. It only blocks a browser it was explicitly given a minimum (or `false`) for.
 
-Resolution precedence (highest wins): **CLI flags → config file → inferred Rails
-config → gem defaults**. See the generated `config/browsable.yml` for the full,
-commented option reference.
+Browsable audits exactly the browsers you pinned and prints a note naming the rest. To audit against more, set an explicit `target:` in `config/browsable.yml`. The same note-and-fall-back-to-`defaults` behavior applies when Browsable can't resolve your policy statically.
+
+### Where `defaults` comes from
 
-## How it works — the inference chain
+When there's no `allow_browser` policy at all, Browsable audits against the [browserslist `defaults`][browserslist] query — the "reasonable broad support" baseline the wider frontend ecosystem uses.
+
+- **With `browserslist` installed** *(`npm install -g browserslist`)*: resolved live from caniuse data
+- **Without it**: a small built-in approximation, with a note saying so
+
+Either way, these versions are *not* a Rails concept — Rails blocks nothing unless you call `allow_browser` — and they aren't derived from stylelint or eslint. For a precise, stable target, set `target:` in `config/browsable.yml`.
+
+## Suggested `allow_browser` fix
+
+When an audit finds errors that are purely a version conflict — your code needs a browser version newer than your policy permits — Browsable prints a ready-to-paste `allow_browser` line that raises *only* the offending browsers to the minimum those features require:
 
 ```
-ApplicationController.allow_browser  →  Target (browserslist query)  →  Analyzers
-        :modern                          chrome 120, safari 17.2          │
-                                                                          ▼
-   config/importmap.rb ─┐                                         CSS  → stylelint
-   app/assets/**       ─┼─→  Sources  ─→  files by kind  ─────────  ERB  → Herb + BCD
-   app/views/**        ─┤                                          HTML → Herb + BCD
-   app/javascript/**   ─┘                                          JS   → eslint
-                                                                          │
-                                                                          ▼
-                                                            Report → Formatter
+💡 Suggested allow_browser policy
+
+   allow_browser versions: {
+     chrome:  120,
+     edge:    120,
+     firefox: 125,    # ← was 121
+     safari:  17.2,
+     opera:   106
+   }
 ```
 
-`browsable` translates between Rails-land and browserslist-land: it reads
-`allow_browser :modern`, expands it to concrete browser versions, configures
-stylelint/eslint with that target, and runs Herb against the bundled MDN
-browser-compat-data snapshot for ERB/HTML.
+It's a suggestion, not an instruction. Tightening the policy is one fix; changing the code (a fallback, a `@supports` rule) is another. **Browsable reports — you decide.**
 
-### Partial `allow_browser` policies
+The suggestion is derived from HTML/ERB findings, which carry exact version data. It also appears in `--json` output as `suggested_policy` and as a GitHub Actions notice.
 
-If your `allow_browser` policy is a hash that pins only some browsers — say
-`versions: { safari: 16.4, firefox: 121 }` — Rails leaves every browser you
-*don't* list allowed at **any** version (it only blocks a browser it was given a
-minimum, or `false`, for). browsable audits exactly the browsers you pinned and
-prints a note naming the rest. To audit against more, set an explicit `target:`
-in `config/browsable.yml`. The same note-and-fall-back-to-`defaults` behaviour
-applies when browsable cannot resolve your policy statically.
+## Runtime auditing (test-suite mode)
 
-### Where `defaults` comes from
+Static mode answers the question *“does my codebase satisfy a single browser-support target?”*. Runtime mode answers a sharper one: *“for every endpoint in my app, does the HTML it actually renders satisfy that endpoint's policy?”* It does this without trying to build a static asset → endpoint graph — instead, it lets Rails itself say what each endpoint renders during a test run, and audits *that*.
+
+Runtime mode uses **the same machine-level tools as static mode** — `node`, `stylelint`, `eslint`. No `package.json`, no `node_modules` in your Rails app. The middleware records during the suite; analysis happens **once**, at the end, with one stylelint and one eslint invocation regardless of how many request specs you ran.
 
-When there is no `allow_browser` policy at all, browsable audits against the
-[browserslist](https://github.com/browserslist/browserslist) `defaults` query —
-the "reasonable broad support" baseline the wider frontend ecosystem uses. It is
-resolved **live** from caniuse data when the `browserslist` CLI is installed
-(`npm install -g browserslist`); otherwise browsable uses a small **built-in
-approximation** and says so in a note. Either way these versions are *not* a
-Rails concept — Rails blocks nothing unless you call `allow_browser` — and they
-are not derived from stylelint or eslint. For a precise, stable target, set
-`target:` in `config/browsable.yml`.
-
-### Suggested `allow_browser` fix
-
-When an audit finds errors that are purely a version conflict — your code needs
-a browser version newer than your policy permits — browsable prints a ready-to-paste
-`allow_browser` line that raises *only* the offending browsers to the minimum
-those features require, leaving every other browser untouched:
-
-```
-Suggested allow_browser policy
-    allow_browser versions: { chrome: 120, edge: 120, firefox: 125, safari: 17.2, opera: 106 }
-    firefox: 121 → 125
-```
-
-It is a suggestion, not an instruction: tightening the policy is one fix, changing
-the code (a fallback, a `@supports` rule) is another. browsable reports; you
-decide. The suggestion is derived from HTML/ERB findings, which carry exact
-version data; it also appears in `--json` (`suggested_policy`) and as a GitHub
-Actions notice.
-
-### Per-controller and per-action policies
-
-Rails lets any controller override `allow_browser`, and scope the override to
-certain actions with `only:`/`except:`. browsable scans every file under
-`app/controllers/` (including `concerns/`) and lists each `allow_browser` call
-it finds — its versions and any action scope — under **Browser policies** in the
-report.
-
-The audit itself runs against a single target (ApplicationController's policy,
-or your `config/browsable.yml`). browsable does **not** try to map each frontend
-asset to the exact endpoints — and policies — that serve it. CSS and importmap
-JavaScript are global assets, included via layout helpers on nearly every page,
-so they have no single owning controller action; a per-asset policy graph would
-be guesswork. Instead, browsable shows you the whole policy landscape: if a
-controller serves shared assets to a broader range of browsers than
-ApplicationController, audit against that policy explicitly with `--target` or
-`config/browsable.yml`. Per-action auditing of `app/views/<controller>/`
-templates against their controller's policy is a planned refinement.
+### Adoption
+
+```ruby
+# Gemfile
+group :development, :test do
+  gem "browsable"
+end
+```
+
+```bash
+bundle install
+bundle exec browsable doctor       # one-time, installs stylelint / eslint if missing
+```
+
+```ruby
+# spec/rails_helper.rb (RSpec)
+require "browsable/rspec"
+
+# OR test/test_helper.rb (Minitest)
+require "browsable/minitest"
+```
+
+Then run your suite as you normally would:
+
+```bash
+bundle exec rspec        # or: bundle exec rails test
+```
+
+At end-of-suite Browsable prints a report grouped by `Controller#action`, with each finding evaluated against that endpoint's effective `allow_browser` policy.
+
+### How it works
+
+```
+   ┌──────────────────────┐
+   │   Rack middleware    │   per request: parse HTML, resolve asset URLs,
+   │   (records only)     │   look up policy, push to AuditLog. NO subprocesses.
+   └──────────┬───────────┘
+              │
+              ▼
+   ┌──────────────────────┐
+   │     AuditLog         │   thread-safe accumulator of
+   │     (in-memory)      │   (endpoint, policy, html, asset_paths)
+   └──────────┬───────────┘
+              │  end of suite
+              ▼
+   ┌──────────────────────┐
+   │     TestReport       │   deduplicated asset universe ➜
+   │  (one stylelint,     │     stylelint × 1, eslint × 1
+   │   one eslint call)   │     findings ➜ attributed back to endpoints
+   └──────────────────────┘
+```
+
+- **The middleware never analyzes.** Per-request work is a Nokogiri parse plus URL resolution — under a few milliseconds on a typical page.
+- **The middleware never runs in production.** It raises at construction if `Rails.env.production?`.
+- **Analysis is one batch.** A 500-spec suite that hits 50 unique HTML pages loading the same 10 CSS files spawns **two Node processes**, total — not 500.
+- **Endpoint-level policies.** The `PolicyResolver` walks each controller's ancestor chain, applies each `allow_browser` call's `only:`/`except:` filter, and picks the last matching one — matching Rails' own filter-callback semantics.
+
+### Configuration
+
+The drivers ship with sensible defaults. Override per-suite:
+
+```ruby
+Browsable::RSpec.configure do |c|
+  c.fail_on = :error         # :error | :warning | :never
+  c.format  = :human         # :human | :json | :github
+  c.output  = "tmp/browsable_report.json"
+end
+```
+
+For CI: dump the report as JSON during the test run, then re-render it as GitHub annotations:
+
+```bash
+bundle exec rspec
+bundle exec browsable replay tmp/browsable_report.json --format github
+```
+
+### Example output
+
+```
+browsable audit
+target: runtime-union  (chrome 100, firefox 121, safari 17.2)
+
+[response] PostsController#show
+  ✗ 14:22  popover  the 'popover' attribute needs Safari 17+, but PostsController#show
+                    policy allows Safari 15
+
+app/assets/builds/application.css
+  ▲ 42:3   css-has  ":has()" is not a known feature
+
+Browser policies (2 found)
+  ApplicationController             :modern
+  LegacyController                  { safari: 15, chrome: 100 }  (only: embed)
+
+1 error, 1 warning  across 2 file(s)
+```
+
+`[response] Controller#action` lines are findings against an endpoint's rendered HTML; ordinary file paths are findings against assets the endpoint loaded — the JSON output (`browsable replay … --format json`) preserves the full endpoint-to-finding mapping so dashboards can reconstruct it.
+
+### Compatibility
+
+- Rails 7.1+ (middleware reads `env["action_controller.instance"]`)
+- Ruby 3.2+
+- Propshaft (preferred), with a Sprockets + filesystem fallback
+- RSpec 3.10+ or Minitest 5.15+
+
+## Per-controller and per-action policies
+
+Rails lets any controller override `allow_browser` and scope the override to certain actions with `only:` / `except:`. Browsable scans every file under `app/controllers/` (including `concerns/`) and lists each `allow_browser` call it finds — with its versions and any action scope — under **Browser policies** in the report.
+
+In **static mode**, the audit runs against a single target. CSS and importmap JavaScript are global assets, included via layout helpers on nearly every page, so they have no single owning controller action — and a static asset → endpoint graph would be guesswork.
+
+In **runtime mode** (v0.2+), this is solved properly: the middleware sees the actual HTML each endpoint renders during a test run, so findings are attached to the endpoints that *actually loaded* the asset, against each endpoint's *specific* policy. See [Runtime auditing](#runtime-auditing-test-suite-mode) above.
 
 ## Rake tasks
 
-Inside a Rails app, the railtie registers:
+Inside a Rails app, the railtie registers three tasks:
 
-- `rake browsable:audit` — audit `app/assets/builds/` as it stands
-- `rake browsable:audit:fresh` — run `assets:precompile` first, then audit
-- `rake browsable:doctor` — run the dependency check
+| Task | Behavior |
+| --- | --- |
+| `rake browsable:audit` | Audit `app/assets/builds/` as it stands |
+| `rake browsable:audit:fresh` | Run `assets:precompile` first, then audit |
+| `rake browsable:doctor` | Run the dependency check |
 
-`browsable` never precompiles assets on its own. In CI, compose the pipeline
-explicitly: `bundle exec rails assets:precompile && bundle exec browsable audit`.
+> ⚠️ **Browsable never precompiles assets on its own.** In CI, compose the pipeline explicitly:
+> ```bash
+> bundle exec rails assets:precompile && bundle exec browsable audit
+> ```
 
 ## Contributing
 
-This gem lives in the `browsable/` subdirectory of the
-[monorepo](https://github.com/romanhood/browsable). To work on it:
+This gem lives in the `browsable/` subdirectory of the [monorepo][monorepo]. To work on it:
 
 ```bash
-cd browsable
+git clone https://github.com/romanhood/browsable
+cd browsable/browsable
 bundle install
 bundle exec rspec
 ```
 
-Refresh the bundled compat data with `ruby bin/update-bcd-snapshot`.
+Refresh the bundled MDN browser-compat-data snapshot:
+
+```bash
+ruby bin/update-bcd-snapshot
+```
+
+Bug reports and pull requests welcome. The monorepo has a [CONTRIBUTING.md][contributing] with the broader workflow.
 
 ## License
 
-MIT — see the [LICENSE](../LICENSE) at the monorepo root.
+[MIT][license] — see the LICENSE file at the monorepo root.
+
+---
+
+<div align="center">
+
+Made with care for Rails developers who refuse to add a `package.json` to their app. 🛤️
+
+[Monorepo][monorepo] · [LSP server][lsp] · [Neovim plugin][nvim] · [Report an issue][issues]
+
+</div>
+
+[monorepo]: https://github.com/romanhood/browsable
+[lsp]: https://github.com/romanhood/browsable/tree/main/browsable-lsp
+[nvim]: https://github.com/romanhood/browsable/tree/main/browsable.nvim
+[roadmap]: https://github.com/romanhood/browsable/blob/main/ROADMAP.md
+[contributing]: https://github.com/romanhood/browsable/blob/main/CONTRIBUTING.md
+[license]: https://github.com/romanhood/browsable/blob/main/LICENSE
+[issues]: https://github.com/romanhood/browsable/issues
+[browserslist]: https://github.com/browserslist/browserslist