source_monitor 0.14.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35e62d7d750d8d9fe1cff82806de1846d27fe505fad819551e48474f864b1499
-  data.tar.gz: 2f6889306b930aa78caec52cc92c7c6919ba379955a6d0484cc8bf44f52dcf6f
+  metadata.gz: 55bf050a9f74f18ed354d7d751f868bc98dc8bc5da59c3da6ce5e0aa0cedc833
+  data.tar.gz: 37a5906b19541de00ef3b860f266a1c7a12e737da58d1a7b80cb806a191936d5
 SHA512:
-  metadata.gz: 3ca0f0c0a9d6e1c2557c501a2a51bc9dee52e486b78cb78f1384232f5af704c209026e514f1dea2ea94c6962d502856add17c57b4afc79c462ed8fa39da8d236
-  data.tar.gz: ed49ec4ce672c5850b2bc3f3a6d73e31f1d08d6c8f7b1a779258db69ac9cdb48d1aa6e8478784a0f89bf161ec81bad31b79485455373a702240a1580ad31f6dc
+  metadata.gz: 0c0109e46a1ec8691592fd304095c833d5d78b9091ffa216e72011040a8683be820016dd51b4a2185d17b9780761410918297f9f4fdeb2fd31d1e952575fbf99
+  data.tar.gz: 9016293bb6d6339026ed811689db2a4f1b87cd90fb60bb7f270113fc698c9714f9935f2aec704c1581b3ef6b61137b2df5c5b21e0ecd8b2bea69be987152057f

data/.claude/skills/sm-upgrade/reference/version-history.md

@@ -2,6 +2,20 @@
 
 Version-specific migration notes for each major/minor version transition. Agents should reference this file when guiding users through multi-version upgrades.
 
+## 0.14.0 to 0.15.0
+
+**Key changes:**
+- **Security:** Rails bumped to 8.1.3 (security release), picking up fixes for five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+- **ViewComponent 4.x:** the `view_component` dependency widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, allowing host apps to resolve ViewComponent 4.x (engine lockfile resolves to 4.5.0). Engine components use only stable APIs unaffected by v4.
+- **Solid Queue 1.4.0:** bumped from 1.3.1 with race-condition and supervisor stability fixes; dynamic recurring tasks are opt-in.
+- **Documentation:** engine conventions consolidated into `AGENTS.md`; `CLAUDE.md` now points to it.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. `bin/rails source_monitor:upgrade`
+3. No migrations or breaking config/API changes.
+4. If the host app has ViewComponent 3.x customizations (custom components, previews), test after upgrading and consult ViewComponent v4 migration guides if needed.
+
 ## 0.13.1 to 0.14.0
 
 **Key changes:**

data/AGENTS.md

@@ -1,47 +1,74 @@
 # Repository Guidelines
 
-Refer to `CLAUDE.md` for project conventions and skills catalog.
+This file is the **canonical engine convention reference, shared across all AI coding agents** (Claude Code, Codex, etc.). It is the single source of truth for tech stack, architecture, testing, quality gates, CI, security, and commands.
+
+`CLAUDE.md` holds only Claude Code-specific context (working-memory header, VBW commands, and the `.claude/` agent/skill catalogs) and references this file for conventions. When a convention changes, edit it **here**, not in `CLAUDE.md`.
 
 Use rbenv for all ruby and bundler/gem commands, not the system ruby.
 
-## Contribution Workflow
+## Tech Stack
 
-- Treat the engine like any external contributor would: no direct commits to `main`.
-- Before writing code, branch off the latest `origin/main` (use a descriptive `feature/` or `bugfix/` prefix) and open a draft PR on `github.com/dchuk/source_monitor`.
-- Push early and often to that branch so history stays visible; keep commits scoped and rebases local to your branch only.
-- Move the PR out of draft once tests pass and the slice is ready for review; request at least one review and wait for all CI jobs (lint, security, Rails tests + diff coverage) to succeed before merging.
-- The `test` job enforces diff coverage via `bin/check-diff-coverage`; if legitimate gaps remain after new code paths, refresh `config/coverage_baseline.json` by running `bin/test-coverage` followed by `bin/update-coverage-baseline` on the updated branch and commit the regenerated baseline.
-- Merge via the PR UI (squash or rebase as agreed) after approval; avoid rewriting shared history post-push.
-- Tag releases only after the release PR merges, then follow the checklist in `CHANGELOG.md`.
+| Layer | Technology |
+|-------|------------|
+| Ruby | 4.0+ |
+| Rails | 8.x |
+| Testing | Minitest (no fixtures -- uses factory helpers + WebMock/VCR) |
+| Authorization | Host app responsibility (mountable engine); **fail-closed by default** (#129) |
+| Jobs | Solid Queue |
+| Frontend | Hotwire (Turbo + Stimulus) + Tailwind CSS |
+| Linting | RuboCop (omakase) + Brakeman |
+| Database | PostgreSQL only |
 
-## Library Documentation
+## Project Structure & Module Organization
 
-- Use Context7 MCP constantly to look up fresh documentation for any task you're looking to complete, especially tasks that rely on using libraries or gems
+The engine follows the Rails mountable layout generated by `rails plugin new source_monitor --mountable`. Runtime code lives under `app/` (controllers, jobs, views) and is namespaced as `SourceMonitor`. Long-lived services, adapters, and instrumentation helpers belong in `lib/source_monitor/`. Generator templates and install scripts reside in `lib/generators/source_monitor/`. Tests sit in `test/`, with fixtures under `test/fixtures/feeds/`, and the dummy host app in `test/dummy/` for integration coverage. Keep shared UI assets under `app/assets/` and engine configuration in `config/initializers/`.
 
-### Project Dependencies & context7 links
+## Architecture Conventions
 
-- Feedjirra - https://context7.com/feedjira/feedjira
+### Models First
+- Business logic lives in models. Use concerns for horizontal sharing.
+- Service objects ONLY for operations spanning 3+ models or external integrations.
+- Query objects for complex queries that don't fit a single scope.
+- Presenters (SimpleDelegator) for view-specific formatting.
 
-## Project Structure & Module Organization
+### Everything-is-CRUD Routing
+- Prefer creating a new resource over adding custom actions.
+- `POST /posts/:id/publications` over `POST /posts/:id/publish`.
+- RESTful routes only; no `member` or `collection` blocks with custom verbs.
 
-The engine follows the Rails mountable layout generated by `rails plugin new source_monitor --mountable`. Runtime code lives under `app/` (controllers, jobs, views) and is namespaced as `SourceMonitor`. Long-lived services, adapters, and instrumentation helpers belong in `lib/source_monitor/`. Generator templates and install scripts reside in `lib/generators/source_monitor/`. Tests sit in `test/`, with fixtures under `test/fixtures/feeds/`, and the dummy host app in `test/dummy/` for integration coverage. Keep shared UI assets under `app/assets/` and engine configuration in `config/initializers/`.
+### State as Records
+- Track business state transitions as separate records (who/when/why).
+- Boolean columns ONLY for technical flags (e.g., `email_verified`, `open_access`).
 
-## Build, Test, and Development Commands
+### Jobs
+- Shallow jobs: call `_later` or `_now` methods on models/services.
+- Jobs contain only deserialization + delegation. No business logic.
+- Use Solid Queue recurring jobs for scheduled work.
 
-Run `bin/setup` to install gems, prepare the dummy database, and compile Tailwind. Use `bin/rails test` (or `bundle exec rake test`) for the full MiniTest suite, including system tests through the dummy app. During feature work, `bin/dev` starts the dummy app with Solid Queue workers and Tailwind watcher. Trigger a feed ingest locally with `bin/rails runner 'SourceMonitor::FetchFeeds.call'` once the fetcher service lands.
+### Frontend
+- Turbo Frames for partial page updates.
+- Turbo Streams for real-time broadcasts.
+- Stimulus controllers: small, focused, one behavior each.
+- Tailwind CSS utility classes; extract components for repeated patterns.
 
-## Background Job Defaults
+## Coding Style & Naming Conventions
 
-- SourceMonitor ensures Solid Queue is the default adapter when the host app is still using the async adapter, but respects any explicit `ActiveJob` configuration already in place. Override queues/concurrency via `SourceMonitor.configure`.
-- Queue names are namespaced (`source_monitor_fetch`/`source_monitor_scrape` by default) and automatically honor host `queue_name_prefix`. Use `SourceMonitor.queue_name(:fetch)` helpers inside jobs.
-- Dashboard queue metrics read directly from Solid Queue tables via `SourceMonitor::Jobs::SolidQueueMetrics`. Host apps must install the Solid Queue migrations (reuse the engine's `20251009140000_create_solid_queue_tables.rb` or run `rails solid_queue:install`) for the card to surface ready/scheduled/failed counts; otherwise the UI falls back to an availability warning. Mission Control remains optional for deeper drill-downs.
-- The dummy host keeps Solid Queue tables in the primary database via `20251009140000_create_solid_queue_tables.rb`. Real apps can either reuse that migration or run `rails solid_queue:install` to manage a dedicated queue database—Mission Control expects one of those setups before it can surface data.
-- Recurring schedules live in `config/recurring.yml`, scheduling `SourceMonitor::ScheduleFetchesJob` each minute plus the scraping scheduler every two minutes. Override the schedule path with `bin/jobs --recurring_schedule_file=...` (or `SOLID_QUEUE_RECURRING_SCHEDULE_FILE`) and disable recurring runners with `SOLID_QUEUE_SKIP_RECURRING=true` or `bin/jobs --skip-recurring`.
-- Hosts that need to wrap Solid Queue command execution can set `config.recurring_command_job_class` in the generated initializer to point at their custom job class.
+Use two-space indentation and Ruby 4.0+ syntax. Keep engine classes under the `SourceMonitor::` namespace; new modules should mirror their directory, e.g., `lib/source_monitor/fetching/pipeline.rb`. Favor service objects ending in `Service`, jobs ending in `Job`, and background channels ending in `Channel`. Rails defaults handle formatting, but run `bin/rubocop` (configured via `.rubocop.yml`) before opening a PR. For views, stick with ERB and Tailwind utility classes.
+
+Sub-module extraction pattern: create `module/submodule.rb` with `require_relative`, lazy accessors, and forwarding methods for backward compatibility. The project uses Ruby autoload for `lib/` modules (not Zeitwerk).
+
+## Clean Coding Principles
+
+- **SRP**: Classes and methods should have a single responsibility.
+- **DRY**: Avoid duplication; changes should only need one edit.
+- **Depend on behaviour, not data**: Wrap instance variables in methods (`attr_reader`); use Struct for data structures.
+- **Minimise dependencies**: Use dependency injection, encapsulate external messages, prefer hash arguments.
+- **Depend on things that change less often than you do.**
 
 ## Configuration DSL
 
-- `SourceMonitor.configure` now exposes structured namespaces:
+- `SourceMonitor.configure` exposes structured namespaces:
+  - `config.authentication` gates the engine. With no `authenticate_with`/`authorize_with` handler configured, the engine is **fail-closed** and returns `403`. Set `config.authentication.open_access = true` (default `false`) only for local demos/sandboxes — never production.
   - `config.http` for Faraday timeouts, retry policy, proxy, and default headers. Per the [Faraday retry docs](https://github.com/lostisland/faraday/blob/main/docs/middleware/index.md), middleware options map 1:1 to the settings we surface (max retries, interval, backoff, statuses).
   - `config.scrapers` registers/overrides adapters by name; adapters must inherit from `SourceMonitor::Scrapers::Base` and are discovered before constant lookup.
   - `config.retention` supplies global defaults for `items_retention_days`, `max_items`, and the pruning strategy (`:destroy` or `:soft_delete`). Runtimes treat blank source fields as “inherit from config”.
@@ -57,29 +84,109 @@ Run `bin/setup` to install gems, prepare the dummy database, and compile Tailwin
 - `SourceMonitor::ItemCleanupJob` batches retention pruning across sources and can soft delete records (`rake source_monitor:cleanup:items` honours `SOFT_DELETE=true`, `SOURCE_IDS=1,2`). `SourceMonitor::LogCleanupJob` prunes old fetch/scrape logs (`rake source_monitor:cleanup:logs`, override `FETCH_LOG_DAYS` / `SCRAPE_LOG_DAYS`).
 - Nightly recurring entries in `config/recurring.yml` enqueue both cleanup jobs by default; adjust schedules or disable via Solid Queue overrides as needed.
 
-## Coding Style & Naming Conventions
+## Background Job Defaults
 
-Use two-space indentation and Ruby 4.0+ syntax. Keep engine classes under the `SourceMonitor::` namespace; new modules should mirror their directory, e.g., `lib/source_monitor/fetching/pipeline.rb`. Favor service objects ending in `Service`, jobs ending in `Job`, and background channels ending in `Channel`. Rails defaults handle formatting, but run `bundle exec rubocop` (configured via `.rubocop.yml`) before opening a PR. For views, stick with ERB and Tailwind utility classes.
+- SourceMonitor ensures Solid Queue is the default adapter when the host app is still using the async adapter, but respects any explicit `ActiveJob` configuration already in place. Override queues/concurrency via `SourceMonitor.configure`.
+- Queue names are namespaced (`source_monitor_fetch`/`source_monitor_scrape` by default) and automatically honor host `queue_name_prefix`. Use `SourceMonitor.queue_name(:fetch)` helpers inside jobs.
+- Dashboard queue metrics read directly from Solid Queue tables via `SourceMonitor::Jobs::SolidQueueMetrics`. Host apps must install the Solid Queue migrations (reuse the engine's `20251009140000_create_solid_queue_tables.rb` or run `rails solid_queue:install`) for the card to surface ready/scheduled/failed counts; otherwise the UI falls back to an availability warning. Mission Control remains optional for deeper drill-downs.
+- The dummy host keeps Solid Queue tables in the primary database via `20251009140000_create_solid_queue_tables.rb`. Real apps can either reuse that migration or run `rails solid_queue:install` to manage a dedicated queue database—Mission Control expects one of those setups before it can surface data.
+- Recurring schedules live in `config/recurring.yml`, scheduling `SourceMonitor::ScheduleFetchesJob` each minute plus the scraping scheduler every two minutes. Override the schedule path with `bin/jobs --recurring_schedule_file=...` (or `SOLID_QUEUE_RECURRING_SCHEDULE_FILE`) and disable recurring runners with `SOLID_QUEUE_SKIP_RECURRING=true` or `bin/jobs --skip-recurring`.
+- Hosts that need to wrap Solid Queue command execution can set `config.recurring_command_job_class` in the generated initializer to point at their custom job class.
+
+## Build, Test, and Development Commands
+
+Run `bin/setup` to install gems, prepare the dummy database, and compile Tailwind. During feature work, `bin/dev` starts the dummy app with Solid Queue workers and Tailwind watcher.
+
+```bash
+bin/dev                     # Start dev server
+bin/rails test              # Run the MiniTest suite (NOT a substitute for CI -- see below)
+bin/rubocop                 # Check style
+bin/rubocop -a              # Auto-fix style
+bin/brakeman --no-pager     # Security scan
+bin/rails db:migrate        # Run migrations
+```
+
+The dummy host app runs on **port 3002** (`cd test/dummy && bin/rails server -p 3002`).
+
+## Testing
 
-## Testing Guidelines
+- **Framework:** Minitest. NEVER use RSpec or FactoryBot. Name files with `_test.rb` and wrap suites in `module SourceMonitor`. Tests live in `test/models`, `test/controllers`, `test/system`, `test/lib`, `test/integration`.
+- **Helpers:** `create_source!` factory, `with_inline_jobs`, `with_queue_adapter`.
+- **HTTP:** WebMock disables external HTTP; VCR for recorded cassettes under `test/vcr_cassettes/` (record new fixtures with descriptive names like `source_fetch_success.yml`).
+- **Config isolation:** `test/test_helper.rb` calls `SourceMonitor.reset_configuration!` in every test's setup (rebuilding a fresh `Configuration`), so any config a test relies on must be set in setup, not the dummy initializer.
+- **Coverage:** Target >90% for new services; cover every model validation, scope, public method, and controller action, plus regression tests for bug fixes.
+- **Parallelism:** Coverage runs need `COVERAGE=1 PARALLEL_WORKERS=1` with **threads** (not forks) to avoid a PG segfault and SimpleCov data loss. Scope queries to a specific source/item to prevent cross-test contamination in parallel runs.
+- **Automate what you can:** Anything verifiable programmatically (config defaults, job enqueue behavior, controller responses) should be a test, not a manual checkpoint.
+
+## Quality Gates
+
+- `bin/rubocop` — zero offenses before commit (omakase: only ~45/775 cops enabled, all Metrics cops disabled — no file-size enforcement).
+- `bin/brakeman --no-pager` — zero warnings before merge.
+- `bin/rails test` — all tests pass.
+- `yarn build` — rebuild JS assets if any `.js` files changed (ESLint runs in CI).
+- No N+1 queries (use `includes`/`preload`).
+- No hardcoded credentials (use Rails credentials or ENV).
+
+### Pre-Push CI Checklist (run ALL before pushing to GitHub)
+
+Before pushing any branch (especially release branches), run the full CI equivalent locally:
+
+1. `bin/rubocop` — catches Ruby lint issues.
+2. `bin/test-coverage` — **this is what CI's `test` job actually runs.** Do NOT rely on `bin/rails test` to predict CI: `bin/rails test` uses a different harness/seed and does NOT run the diff-coverage gate, so it can be green (e.g. 1741/0) while CI fails. `bin/test-coverage` runs the real seed, the second `health_suite` pass, and the host-app-template test that **changes the process CWD mid-suite** (see gemspec note below).
+3. `bundle exec ruby bin/check-diff-coverage` — run AFTER `bin/test-coverage` (it reads `coverage/.resultset.json`). Reproduces the CI diff-coverage gate locally (threshold 90% on changed `app/`/`lib/` lines vs `origin/main`). This is the only way to know the gate passes before pushing.
+4. `bin/brakeman --no-pager` — catches security issues.
+5. `yarn build` — rebuilds JS and catches ESLint issues (CI runs ESLint separately).
+
+If legitimate coverage gaps remain after new code paths, refresh the baseline: `bin/test-coverage` then `bin/update-coverage-baseline`, and commit the regenerated `config/coverage_baseline.json`.
+
+**Why:** CI failures cost ~5 min per round-trip. Hard-won lessons:
+- **CI runs `bin/test-coverage`, not `bin/rails test`** — replicate the gate locally with steps 2 + 3. (v0.14.0: a green local `bin/rails test` masked a CI `bin/test-coverage` failure.)
+- **Diff coverage covers EVERY changed `app/`/`lib/` line**, including defensive/edge branches with no natural caller. If a branch can't be reached through a normal engine route (e.g. the `#130` turbo_stream flash-append, which only fires when a turbo_stream request carries a Rails flash), add a **test-only probe controller in the dummy app** (pattern: `test/dummy/app/controllers/test_support_controller.rb` + a route in `test/dummy/config/routes.rb`); subclass `SourceMonitor::ApplicationController` if the branch lives in the engine's filter chain.
+- Every `rescue`/fallback/error path in new source code needs test coverage.
+- **Gemspec packaging must be CWD-independent.** Do NOT use a bare `Dir[...]` glob in `source_monitor.gemspec` for file selection — it resolves against the process CWD, and during `bin/test-coverage` a sibling test chdir's into a generated host app, so the glob returns nothing and files silently drop from the package (v0.14.0 `#131`). Drive packaging from `git ls-files` inside the existing `Dir.chdir(File.expand_path(__dir__))` block.
+- JS files need `/* global */` declarations for browser APIs (MutationObserver, requestAnimationFrame, etc.); ESLint `no-undef` rejects them otherwise. Run `yarn build` after JS changes to sync sourcemaps.
+
+## Contribution Workflow
 
-MiniTest drives coverage (`test/models`, `test/controllers`, `test/system`). Name files with `_test.rb` and wrap suites in `module SourceMonitor`. Add VCR cassettes under `test/vcr_cassettes/` when touching HTTP clients, and record new fixtures with descriptive names like `source_fetch_success.yml`. Target >90% coverage for new services and include regression tests for bug fixes. Use `bin/rails test test/system` before changing UI flows.
+- Treat the engine like any external contributor would: no direct commits to `main`.
+- Before writing code, branch off the latest `origin/main` (use a descriptive `feature/` or `bugfix/` prefix) and open a draft PR on `github.com/dchuk/source_monitor`.
+- Push early and often to that branch so history stays visible; keep commits scoped and rebases local to your branch only.
+- Move the PR out of draft once tests pass and the slice is ready for review; request at least one review and wait for all CI jobs (lint, security, test + diff coverage, release_verification) to succeed before merging.
+- Merge via the PR UI (squash or rebase as agreed) after approval; avoid rewriting shared history post-push.
+- Tag releases only after the release PR merges, then follow the checklist in `CHANGELOG.md`. There are TWO version files — `lib/source_monitor/version.rb` AND the top-level `VERSION` — and both must match; run `bundle install` after a bump so `Gemfile.lock` stays in sync (CI runs `--frozen`).
 
 ## Commit & Pull Request Guidelines
 
-Adopt imperative commit messages in the format `scope: action`, e.g., `sources: enforce URL normalization`. Group unrelated work into separate commits. PRs should describe context, summarise the slice delivered, and list validation steps (`bin/rails test`, manual fetch run). Include screenshots or console output when altering UI or background jobs. Request at least one review and ensure CI completes before merge.
+Use Conventional Commit subjects in the format `type(scope): description`, e.g., `fix(fetch): resolve advisory lock contention`. Group unrelated work into separate commits. PRs should describe context, summarise the slice delivered, and list validation steps (`bin/test-coverage`, manual fetch run). Include screenshots or console output when altering UI or background jobs. Request at least one review and ensure CI completes before merge.
+
+## Security
 
-## Security & Configuration Tips
+### Protected files (NEVER read or output)
+- `.env`, `.env.*`
+- `config/master.key`, `config/credentials.yml.enc`
+- `.kamal/secrets`
+- Any `*.pem` / `*.key` files
 
+### Forbidden operations
+- `git push --force` to main/master/production
+- `git reset --hard` without explicit user confirmation
+- `rm -rf` on root, home, or parent directories
+- `chmod 777`
+
+### General
 Store secrets (API keys, webhook tokens) in `config/credentials/` and never commit plain-text values. When adding HTTP endpoints or webhooks, default to Solid Queue middleware for retries and respect the allowlist in `config/source_monitor.yml`. Document new environment variables in `config/application.yml.sample` and call out any migrations that impact host apps.
 
-## Clean Coding Principles
+## Maintenance: Skills & Docs Alignment
 
-- **SRP**: Classes and methods should have a single responsibility.
-- **DRY**: Avoid duplication; changes should only need one edit.
-- **Depend on behaviour, not data**: Wrap instance variables in methods (`attr_reader`); use Struct for data structures.
-- **Minimise dependencies**: Use dependency injection, encapsulate external messages, prefer hash arguments.
-- **Depend on things that change less often than you do.**
+Whenever engine code changes (models, configuration, pipeline, jobs, migrations, scrapers, events, health rules, or dashboard), the corresponding `sm-*` skill and its `reference/` files MUST be updated **in the same PR** so skills always reflect current engine behavior. Releases must also audit `README.md`, `docs/` (especially `docs/upgrade.md`), and the install initializer template against the source code.
+
+## Library Documentation
+
+- Use Context7 MCP constantly to look up fresh documentation for any task, especially tasks that rely on libraries or gems.
+
+### Project Dependencies & context7 links
+
+- Feedjira - https://context7.com/feedjira/feedjira
 
 ## Claude Code Skills
 
@@ -92,4 +199,4 @@ bin/rails source_monitor:skills:all            # All skills
 bin/rails source_monitor:skills:remove         # Remove all sm-* skills
 ```
 
-See `CLAUDE.md` for the full skills catalog and usage details.
+See `CLAUDE.md` for the full skills catalog (consumer vs. contributor) and the `.claude/` agent catalog.

data/CHANGELOG.md

@@ -15,6 +15,20 @@ All notable changes to this project are documented below. The format follows [Ke
 
 - No unreleased changes yet.
 
+## [0.15.0] - 2026-06-18
+
+### Security
+- Bump Rails to 8.1.3 via the 8.1.2.1 security release (#104), picking up fixes for five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+
+### Changed
+- **Allow ViewComponent 4.x** (#96). The `view_component` dependency constraint widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, so host apps can now resolve ViewComponent 4.x (the engine's lockfile moves to 4.5.0). The engine's components use only stable ViewComponent APIs and are unaffected by the v4 upgrade — but a host app on its own ViewComponent 3.x customizations should review the v4 upgrade notes before running `bundle update`.
+- Bump Solid Queue to 1.4.0 (#102) — race-condition and supervisor stability fixes; the new dynamic recurring-tasks feature is opt-in and off by default.
+- Bump nokolexbor to 0.6.4 (#103) and json to 2.19.2 (#99).
+- Development/CI dependency bumps: test-prof 1.6.0 (#101), webmock 3.26.2 (#100), brakeman 8.0.4 (#88), selenium-webdriver 4.41.0 (#78), stackprof 0.2.28 (#71), and the GitHub Actions artifact actions (#87, #86).
+
+### Documentation
+- Consolidate engine conventions into `AGENTS.md` as the canonical, cross-agent reference; `CLAUDE.md` now points to it instead of duplicating content (#134).
+
 ## [0.14.0] - 2026-05-28
 
 ### Security (BREAKING)

data/CLAUDE.md

@@ -2,6 +2,8 @@
 
 **Core value:** Drop-in Rails engine for feed monitoring, content scraping, and operational dashboards.
 
+> **Engine conventions live in [`AGENTS.md`](AGENTS.md)** — the canonical, cross-agent reference for tech stack, architecture, testing, quality gates, the pre-push CI checklist, security rules, configuration DSL, and commands. This file holds only Claude Code-specific context: working memory, VBW commands, and the `.claude/` agent/skill catalogs. When a convention changes, edit `AGENTS.md`, not here.
+
 ## Active Context
 
 **Last shipped:** rails-audit-and-refactoring (7 phases, 30 plans)
@@ -10,7 +12,7 @@
 ## Key Decisions
 
 - Keep PostgreSQL-only for now
-- Keep host-app auth model
+- Keep host-app auth model (fail-closed by default since #129)
 - Ruby autoload for lib/ modules (not Zeitwerk)
 - PG parallel fork segfault resolved: switched to thread-based parallelism in aia-ssl-fix milestone
 
@@ -23,13 +25,6 @@
 - vastai (global)
 - find-skills (global)
 
-## Learned Patterns
-
-- Sub-module extraction: create `module/submodule.rb` with `require_relative`, lazy accessors, forwarding methods for backward compat
-- Coverage runs need `COVERAGE=1 PARALLEL_WORKERS=1` with threads (not forks) to avoid PG segfault and SimpleCov data loss
-- Test isolation: scope queries to specific source/item to prevent cross-test contamination in parallel runs
-- RuboCop omakase: only 45/775 cops enabled, all Metrics cops disabled -- no file size enforcement
-
 ## VBW Commands
 
 This project uses VBW (Vibe Better with Claude Code).
@@ -38,111 +33,10 @@ Run /vbw:help for all commands.
 
 ---
 
-# Rails Development Conventions
-
-## Tech Stack
-
-| Layer | Technology |
-|-------|------------|
-| Ruby | 4.0+ |
-| Rails | 8.x |
-| Testing | Minitest (no fixtures -- uses factory helpers + WebMock/VCR) |
-| Authorization | Host app responsibility (mountable engine) |
-| Jobs | Solid Queue |
-| Frontend | Hotwire (Turbo + Stimulus) + Tailwind CSS |
-| Linting | RuboCop (omakase) + Brakeman |
-| Database | PostgreSQL only |
-
-## Architecture Conventions
-
-### Models First
-- Business logic lives in models. Use concerns for horizontal sharing.
-- Service objects ONLY for operations spanning 3+ models or external integrations.
-- Query objects for complex queries that don't fit a single scope.
-- Presenters (SimpleDelegator) for view-specific formatting.
-
-### Everything-is-CRUD Routing
-- Prefer creating a new resource over adding custom actions.
-- `POST /posts/:id/publications` over `POST /posts/:id/publish`.
-- RESTful routes only; no `member` or `collection` blocks with custom verbs.
-
-### State as Records
-- Track business state transitions as separate records (who/when/why).
-- Boolean columns ONLY for technical flags (e.g., `email_verified`).
-
-### Jobs
-- Shallow jobs: call `_later` or `_now` methods on models/services.
-- Jobs contain only deserialization + delegation. No business logic.
-- Use Solid Queue recurring jobs for scheduled work.
-
-### Frontend
-- Turbo Frames for partial page updates.
-- Turbo Streams for real-time broadcasts.
-- Stimulus controllers: small, focused, one behavior each.
-- Tailwind CSS utility classes; extract components for repeated patterns.
-
-## Testing Conventions
-
-- **Framework:** Minitest. NEVER use RSpec or FactoryBot.
-- **Helpers:** `create_source!` factory, `with_inline_jobs`, `with_queue_adapter`.
-- **HTTP:** WebMock disables external HTTP; VCR for recorded cassettes.
-- **Config:** Reset every test with `SourceMonitor.reset_configuration!`.
-- **TDD workflow:** Red (failing test) -> Green (minimal pass) -> Refactor.
-- **Coverage:** Every model validation, scope, and public method. Every controller action.
-
-## Quality Gates
-
-- `bin/rubocop` -- zero offenses before commit.
-- `bin/brakeman --no-pager` -- zero warnings before merge.
-- `bin/rails test` -- all tests pass.
-- `yarn build` -- rebuild JS assets if any `.js` files changed (ESLint runs in CI).
-- No N+1 queries (use `includes`/`preload`).
-- No hardcoded credentials (use Rails credentials or ENV).
-
-### Pre-Push CI Checklist (run ALL before pushing to GitHub)
-
-Before pushing any branch (especially release branches), run the full CI equivalent locally:
-
-1. `bin/rubocop` -- catches Ruby lint issues
-2. `PARALLEL_WORKERS=1 bin/rails test` -- catches test failures AND diff coverage gaps
-3. `bin/brakeman --no-pager` -- catches security issues
-4. `yarn build` -- rebuilds JS and catches ESLint issues (CI runs ESLint separately)
-
-**Why:** CI failures cost ~5 min per round-trip. In v0.8.0, skipping ESLint and diff coverage checks locally caused 2 wasted CI cycles. Common blind spots:
-- JS files need `/* global */` declarations for browser APIs (MutationObserver, requestAnimationFrame, etc.)
-- Every `rescue` / fallback / error path in new source code needs test coverage (CI diff coverage gate rejects uncovered lines)
-- `yarn build` must run after JS changes to sync sourcemaps
-
-## QA and UAT Rules
+## QA and UAT Rules (Claude Code)
 
 - **Browser-first verification:** During VBW QA (`/vbw:qa`) and UAT (`/vbw:verify`), ALWAYS start by using `agent-browser` to test UI scenarios yourself before presenting checkpoints to the user. Navigate to the dummy app (port 3002), take snapshots/screenshots, and verify visual and functional behavior with agents first.
-- **Automate what you can:** Any test that can be verified programmatically (config defaults, job enqueue behavior, controller responses) should be automated -- only present truly visual/interactive tests to the user.
-- **Dummy app port:** The SourceMonitor dummy app runs on port 3002 (`cd test/dummy && bin/rails server -p 3002`).
-
-## Security Rules
-
-### Protected Files (NEVER read or output)
-- `.env`, `.env.*`
-- `config/master.key`, `config/credentials.yml.enc`
-- `.kamal/secrets`
-- Any `*.pem`, `*.key` files
-
-### Forbidden Operations
-- `git push --force` to main/master/production
-- `git reset --hard` without explicit user confirmation
-- `rm -rf` on root, home, or parent directories
-- `chmod 777`
-
-## Development Commands
-
-```bash
-bin/dev                     # Start dev server
-bin/rails test              # Run all tests
-bin/rubocop                 # Check style
-bin/rubocop -a              # Auto-fix style
-bin/brakeman --no-pager     # Security scan
-bin/rails db:migrate        # Run migrations
-```
+- **Automate what you can:** anything verifiable programmatically should be a test — see the Testing section in [`AGENTS.md`](AGENTS.md) — and only present truly visual/interactive checks to the user.
 
 ## Agent Catalog
 
@@ -200,7 +94,7 @@ These skills are available in `.claude/skills/`:
 
 ## Source Monitor Skills
 
-Engine-specific skills (`sm-*` prefix). Consumer skills install by default; contributor skills are opt-in.
+Engine-specific skills (`sm-*` prefix). Consumer skills install by default; contributor skills are opt-in. The **Skills & Docs Alignment** maintenance rule lives in [`AGENTS.md`](AGENTS.md).
 
 ### Consumer Skills (default install)
 
@@ -237,7 +131,3 @@ bin/rails source_monitor:skills:contributor     # Contributor skills
 bin/rails source_monitor:skills:all            # All skills
 bin/rails source_monitor:skills:remove         # Remove all sm-* skills
 ```
-
-## Maintenance Rules
-
-- **Skills & docs alignment**: Whenever engine code changes (models, configuration, pipeline, jobs, migrations, scrapers, events, health rules, or dashboard), the corresponding `sm-*` skill and its `reference/` files MUST be updated in the same PR to ensure skills always reflect current engine behavior.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    source_monitor (0.14.0)
+    source_monitor (0.15.0)
       cssbundling-rails (~> 1.4)
       faraday (~> 2.9)
       faraday-follow_redirects (~> 0.4)
@@ -16,36 +16,36 @@ PATH
       solid_cable (>= 3.0, < 4.0)
       solid_queue (>= 0.3, < 3.0)
       turbo-rails (~> 2.0)
-      view_component (>= 3.0, < 4.0)
+      view_component (>= 3.0, < 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    action_text-trix (2.1.16)
+    action_text-trix (2.1.17)
       railties
-    actioncable (8.1.2)
-      actionpack (= 8.1.2)
-      activesupport (= 8.1.2)
+    actioncable (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (8.1.2)
-      actionpack (= 8.1.2)
-      activejob (= 8.1.2)
-      activerecord (= 8.1.2)
-      activestorage (= 8.1.2)
-      activesupport (= 8.1.2)
+    actionmailbox (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
-    actionmailer (8.1.2)
-      actionpack (= 8.1.2)
-      actionview (= 8.1.2)
-      activejob (= 8.1.2)
-      activesupport (= 8.1.2)
+    actionmailer (8.1.3)
+      actionpack (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activesupport (= 8.1.3)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (8.1.2)
-      actionview (= 8.1.2)
-      activesupport (= 8.1.2)
+    actionpack (8.1.3)
+      actionview (= 8.1.3)
+      activesupport (= 8.1.3)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
@@ -53,36 +53,36 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (8.1.2)
+    actiontext (8.1.3)
       action_text-trix (~> 2.1.15)
-      actionpack (= 8.1.2)
-      activerecord (= 8.1.2)
-      activestorage (= 8.1.2)
-      activesupport (= 8.1.2)
+      actionpack (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (8.1.2)
-      activesupport (= 8.1.2)
+    actionview (8.1.3)
+      activesupport (= 8.1.3)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (8.1.2)
-      activesupport (= 8.1.2)
+    activejob (8.1.3)
+      activesupport (= 8.1.3)
       globalid (>= 0.3.6)
-    activemodel (8.1.2)
-      activesupport (= 8.1.2)
-    activerecord (8.1.2)
-      activemodel (= 8.1.2)
-      activesupport (= 8.1.2)
+    activemodel (8.1.3)
+      activesupport (= 8.1.3)
+    activerecord (8.1.3)
+      activemodel (= 8.1.3)
+      activesupport (= 8.1.3)
       timeout (>= 0.4.0)
-    activestorage (8.1.2)
-      actionpack (= 8.1.2)
-      activejob (= 8.1.2)
-      activerecord (= 8.1.2)
-      activesupport (= 8.1.2)
+    activestorage (8.1.3)
+      actionpack (= 8.1.3)
+      activejob (= 8.1.3)
+      activerecord (= 8.1.3)
+      activesupport (= 8.1.3)
       marcel (~> 1.0)
-    activesupport (8.1.2)
+    activesupport (8.1.3)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
@@ -95,12 +95,12 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
     ast (2.4.3)
     base64 (0.3.0)
-    bigdecimal (4.0.1)
-    brakeman (8.0.2)
+    bigdecimal (4.1.2)
+    brakeman (8.0.4)
       racc
     builder (3.3.0)
     capybara (3.40.0)
@@ -125,7 +125,7 @@ GEM
     digest (3.2.1)
     docile (1.4.1)
     drb (2.2.3)
-    erb (6.0.1)
+    erb (6.0.2)
     erubi (1.13.1)
     et-orbi (1.4.0)
       tzinfo
@@ -163,11 +163,11 @@ GEM
       reline (>= 0.4.2)
     jsbundling-rails (1.3.1)
       railties (>= 6.0.0)
-    json (2.18.1)
+    json (2.19.2)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
-    loofah (2.25.0)
+    loofah (2.25.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.9.0)
@@ -178,17 +178,17 @@ GEM
       net-smtp
     marcel (1.1.0)
     matrix (0.4.3)
-    method_source (1.1.0)
     mini_magick (5.3.1)
       logger
     mini_mime (1.1.5)
     mini_portile2 (2.8.9)
-    minitest (6.0.1)
+    minitest (6.0.2)
+      drb (~> 2.0)
       prism (~> 1.5)
     minitest-mock (5.27.0)
     net-http (0.9.1)
       uri (>= 0.11.1)
-    net-imap (0.6.2)
+    net-imap (0.6.3)
       date
       net-protocol
     net-pop (0.1.2)
@@ -198,18 +198,18 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.5)
-    nokogiri (1.19.0)
+    nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.19.0-aarch64-linux-gnu)
+    nokogiri (1.19.2-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-aarch64-linux-musl)
+    nokogiri (1.19.2-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-gnu)
+    nokogiri (1.19.2-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.0-arm-linux-musl)
+    nokogiri (1.19.2-arm-linux-musl)
       racc (~> 1.4)
-    nokolexbor (0.6.2)
+    nokolexbor (0.6.4)
     ostruct (0.6.3)
     parallel (1.27.0)
     parser (3.3.10.1)
@@ -229,12 +229,12 @@ GEM
     psych (5.3.1)
       date
       stringio
-    public_suffix (6.0.2)
+    public_suffix (7.0.5)
     puma (7.2.0)
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.4)
+    rack (3.2.5)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
@@ -242,30 +242,30 @@ GEM
       rack (>= 1.3)
     rackup (2.3.1)
       rack (>= 3)
-    rails (8.1.2)
-      actioncable (= 8.1.2)
-      actionmailbox (= 8.1.2)
-      actionmailer (= 8.1.2)
-      actionpack (= 8.1.2)
-      actiontext (= 8.1.2)
-      actionview (= 8.1.2)
-      activejob (= 8.1.2)
-      activemodel (= 8.1.2)
-      activerecord (= 8.1.2)
-      activestorage (= 8.1.2)
-      activesupport (= 8.1.2)
+    rails (8.1.3)
+      actioncable (= 8.1.3)
+      actionmailbox (= 8.1.3)
+      actionmailer (= 8.1.3)
+      actionpack (= 8.1.3)
+      actiontext (= 8.1.3)
+      actionview (= 8.1.3)
+      activejob (= 8.1.3)
+      activemodel (= 8.1.3)
+      activerecord (= 8.1.3)
+      activestorage (= 8.1.3)
+      activesupport (= 8.1.3)
       bundler (>= 1.15.0)
-      railties (= 8.1.2)
+      railties (= 8.1.3)
     rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (8.1.2)
-      actionpack (= 8.1.2)
-      activesupport (= 8.1.2)
+    railties (8.1.3)
+      actionpack (= 8.1.3)
+      activesupport (= 8.1.3)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -321,7 +321,7 @@ GEM
     rubyzip (3.2.2)
     sax-machine (1.3.2)
     securerandom (0.4.1)
-    selenium-webdriver (4.40.0)
+    selenium-webdriver (4.41.0)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
@@ -338,18 +338,18 @@ GEM
       activejob (>= 7.2)
       activerecord (>= 7.2)
       railties (>= 7.2)
-    solid_queue (1.3.1)
+    solid_queue (1.4.0)
       activejob (>= 7.1)
       activerecord (>= 7.1)
       concurrent-ruby (>= 1.3.1)
       fugit (~> 1.11)
       railties (>= 7.1)
       thor (>= 1.3.1)
-    stackprof (0.2.27)
+    stackprof (0.2.28)
     stringio (3.2.0)
-    test-prof (1.5.2)
+    test-prof (1.6.0)
     thor (1.5.0)
-    timeout (0.6.0)
+    timeout (0.6.1)
     tsort (0.2.0)
     turbo-rails (2.0.23)
       actionpack (>= 7.1.0)
@@ -362,11 +362,11 @@ GEM
     uri (1.1.1)
     useragent (0.16.11)
     vcr (6.4.0)
-    view_component (3.24.0)
-      activesupport (>= 5.2.0, < 8.2)
+    view_component (4.5.0)
+      actionview (>= 7.1.0)
+      activesupport (>= 7.1.0)
       concurrent-ruby (~> 1)
-      method_source (~> 1.0)
-    webmock (3.26.1)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -377,7 +377,7 @@ GEM
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.7.4)
+    zeitwerk (2.7.5)
     zlib (3.2.2)
 
 PLATFORMS

data/README.md

@@ -9,8 +9,8 @@ SourceMonitor is a production-ready Rails 8 mountable engine for ingesting, norm
 In your host Rails app:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
-# or add `gem "source_monitor", "~> 0.14.0"` manually, then run:
+bundle add source_monitor --version "~> 0.15.0"
+# or add `gem "source_monitor", "~> 0.15.0"` manually, then run:
 bundle install
 ```
 
@@ -46,7 +46,7 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 Before running any SourceMonitor commands inside your host app, add the gem and install dependencies:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
+bundle add source_monitor --version "~> 0.15.0"
 # or edit your Gemfile, then run
 bundle install
 ```

data/VERSION

@@ -1 +1 @@
-0.14.0
+0.15.0

data/docs/setup.md

@@ -7,7 +7,7 @@ This guide consolidates the new guided installer, verification commands, and rol
 | Requirement | Minimum | Notes |
 | --- | --- | --- |
 | Ruby | 4.0.1 | Use rbenv and match the engine's `.ruby-version`. |
-| Rails | 8.1.2 | Run `bin/rails about` inside the host to confirm. |
+| Rails | 8.1.3 | Run `bin/rails about` inside the host to confirm. |
 | PostgreSQL | 14+ | Required for Solid Queue tables and item storage. |
 | Node.js | 18+ | Needed for Tailwind/esbuild assets when the host owns node tooling. |
 | Background jobs | Solid Queue (>= 0.3, < 3.0) | Add `solid_queue` to the host Gemfile if not present. |
@@ -18,8 +18,8 @@ This guide consolidates the new guided installer, verification commands, and rol
 Run these commands inside your host Rails application before invoking the guided workflow:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
-# or add gem "source_monitor", "~> 0.14.0" to Gemfile manually
+bundle add source_monitor --version "~> 0.15.0"
+# or add gem "source_monitor", "~> 0.15.0" to Gemfile manually
 bundle install
 ```
 

data/docs/upgrade.md

@@ -46,6 +46,20 @@ If a removed option raises an error (`SourceMonitor::DeprecatedOptionError`), yo
 
 ## Version-Specific Notes
 
+### Upgrading to 0.15.0
+
+**What changed:**
+- **Security:** Rails bumped to 8.1.3 (security release), fixing five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+- **ViewComponent 4.x compatibility:** The `view_component` dependency constraint widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, so host apps can now resolve ViewComponent 4.x (the engine's lockfile moves to 4.5.0). The engine's components use only stable ViewComponent APIs unaffected by the v4 upgrade, but host apps with their own ViewComponent 3.x customizations should review the [ViewComponent v4 release notes](https://github.com/ViewComponent/view_component/releases) before running `bundle update`.
+- **Solid Queue 1.4.0:** Bumped from 1.3.1 with race-condition and supervisor stability fixes. The new dynamic recurring-tasks feature is opt-in and off by default.
+- **Documentation:** Engine conventions consolidated into `AGENTS.md` as the canonical cross-agent reference; `CLAUDE.md` now points to it.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. `bin/rails source_monitor:upgrade`
+3. No database migrations and no breaking API or configuration changes.
+4. If your host app has its own ViewComponent 3.x customizations, test after upgrading and consult the ViewComponent v4 migration guide if issues arise.
+
 ### Upgrading to 0.14.0
 
 **What changed:**

data/lib/source_monitor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SourceMonitor
-  VERSION = "0.14.0"
+  VERSION = "0.15.0"
 end

data/source_monitor.gemspec

@@ -51,5 +51,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency "solid_queue", ">= 0.3", "< 3.0"
   spec.add_dependency "solid_cable", ">= 3.0", "< 4.0"
   spec.add_dependency "ransack", "~> 4.2"
-  spec.add_dependency "view_component", ">= 3.0", "< 4.0"
+  spec.add_dependency "view_component", ">= 3.0", "< 5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: source_monitor
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.15.0
 platform: ruby
 authors:
 - dchuk
@@ -238,7 +238,7 @@ dependencies:
         version: '3.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -248,7 +248,7 @@ dependencies:
         version: '3.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
 description: SourceMonitor is a mountable Rails 8 engine that ingests RSS, Atom, and
   JSON feeds, scrapes full article content, and surfaces Solid Queue powered dashboards
   for monitoring and remediation.