source_monitor 0.6.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4710a57d0da9bd7c73f4f7b3a48a4bbfd31fa1927cf79423c9e8955f4b433378
-  data.tar.gz: e0847be423ba3022b3c853902de2061ed7b5b476801dc9f83aefdb957df239f4
+  metadata.gz: 135499910675f0d424b88ec25e1503f3068fdbd78ffa553942438efd886b72bd
+  data.tar.gz: a6b03ef217569a206d7521f2d8b42f3c300ab6ddf41e144cabaf24535f92b8dc
 SHA512:
-  metadata.gz: ccccf11d1adb294ca141cb4efb8459f1948ad339d09feb2b55140d7983fd04ffdb772d5a75cfc3b73c7ec40c085e80026c8791357837f8184fee59df06efe5d8
-  data.tar.gz: 56224653d622b47a309f36bda5b3860118e4743fbafee7d657e09b7f6876377631d17d9a118d803e9c37bed69724852f5706e2cbabff5ef438a58febf0231831
+  metadata.gz: b4e0ebe10a0211760f42d6a131cbf61eb09bf3f268006fbefe51636137c10ba0afc0413e2c39a46a8d3ff39037db07ba680a6f059599d7751b56a79d5deef1a3
+  data.tar.gz: 7bdfa9ca0995bb91757be78271ca171a14ec83cc54aef8d13b083446e3c23a96d4568718b40a944c83c802173124823609a36c405a68b8a0c81bb138891aa65b

data/.claude/commands/release.md

@@ -15,8 +15,10 @@ These are real issues encountered in previous releases. Each step below accounts
 3. **VBW volatile files**: Files in `.vbw-planning/` (`.cost-ledger.json`, `.notification-log.jsonl`, `.session-log.jsonl`, `.hook-errors.log`) are continuously modified by VBW hooks. They should be in `.gitignore`. If they aren't, add them before proceeding.
 4. **Pre-push hook**: The VBW pre-push hook at `.git/hooks/pre-push` requires the `VERSION` file to appear in the diff for any push. For new branches, it compares the commit against the working tree -- any dirty files will trigger a false positive. For force-pushes to existing branches where `VERSION` hasn't changed since the last push, use `--no-verify`.
 5. **Single squashed commit**: Always create ONE commit on the release branch with ALL changes (version bump, changelog, Gemfile.lock, any fixes). Multiple commits cause pre-push hook issues.
-6. **Diff coverage CI gate**: The `test` CI job enforces diff coverage. Any changed lines in source code (not just test files) must have test coverage. If you change source code during the release (e.g., bug fixes), you must add corresponding tests.
-7. **Local main divergence after merge**: After the PR merges, local main will have different commits than origin/main (pre-squash vs merged). You must `git reset --hard origin/main` to sync -- this requires user approval since the sandbox blocks it.
+6. **Diff coverage CI gate**: The `test` CI job enforces diff coverage. Any changed lines in source code (not just test files) must have test coverage. **This applies to ALL changes in the PR diff vs main, including unpushed commits made before the release started.** If the release includes source code changes (bug fixes, features), every changed source line must be covered.
+7. **Local main divergence after merge**: After the PR merges, `gh pr merge --merge --delete-branch` will attempt to fast-forward local main. This usually succeeds automatically. If it doesn't (divergent history), you must `git reset --hard origin/main` to sync -- this requires user approval since the sandbox blocks it.
+8. **Run local checks BEFORE pushing**: Always run `bin/rubocop` and `PARALLEL_WORKERS=1 bin/rails test` locally before the first push to the release branch. Each CI roundtrip (fail → fix → amend → force-push → re-run) costs ~5 minutes. In v0.7.0, skipping local checks caused two wasted CI cycles: first for uncovered diff lines, then for a RuboCop violation in the fix.
+9. **Zsh glob nomatch**: Commands like `rm -f *.gem` fail in zsh when no files match. Always use `rm -f *.gem 2>/dev/null || true` or check existence first with `ls`.
 
 ## Step 1: Git Hygiene
 
@@ -112,7 +114,25 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
 2. Verify the output shows the new version: `Using source_monitor X.Y.Z (was X.Y.Z-1)`.
 3. If `bundle install` fails, resolve the issue before proceeding.
 
-## Step 5: Create Release Branch with Single Squashed Commit
+## Step 5: Local Pre-flight Checks
+
+**CRITICAL**: Run these checks BEFORE creating the release branch and pushing. Each CI failure → fix → amend → force-push cycle wastes ~5 minutes. In v0.7.0, skipping this step caused two wasted CI roundtrips.
+
+1. **RuboCop**: Run `bin/rubocop` and fix any violations. Auto-fix with `bin/rubocop -a` if needed. This catches lint issues (like `SpaceInsideArrayLiteralBrackets`) that would fail the CI lint job.
+
+2. **Tests**: Run `PARALLEL_WORKERS=1 bin/rails test` and ensure all tests pass.
+
+3. **Diff coverage pre-check**: If the release includes source code changes beyond version/changelog/lockfile (check with `git diff --name-only origin/main`), review those files for uncovered branches. The CI diff coverage gate will reject any changed source lines without test coverage. Common blind spots:
+   - Fallback/else branches in new methods
+   - Error handling paths
+   - Guard clauses
+   If you find uncovered source lines, write tests for them NOW before creating the release commit — it's far cheaper than a CI roundtrip.
+
+4. **Brakeman**: Run `bin/brakeman --no-pager` and ensure zero warnings.
+
+Only proceed to Step 6 when all local checks pass.
+
+## Step 6: Create Release Branch with Single Squashed Commit
 
 **IMPORTANT**: All release changes MUST be in a single commit on the release branch. This avoids pre-push hook issues where individual commits are checked for VERSION changes.
 
@@ -124,13 +144,13 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
    Also stage any other files that were changed (updated skills, docs, etc.).
 3. Create a single commit:
    ```
-   chore: release vX.Y.Z
+   chore(release): release vX.Y.Z
    ```
 4. Push the branch: `git push -u origin release/vX.Y.Z`
    - If the pre-push hook blocks with a false positive (e.g., VBW files dirty in working tree despite being gitignored), use `git push -u --no-verify origin release/vX.Y.Z`. This is safe because we've verified VERSION is in the commit.
 5. If the push fails for other reasons, diagnose and fix before proceeding.
 
-## Step 6: Create PR
+## Step 7: Create PR
 
 1. Create the PR using `gh pr create`:
    - Title: `Release vX.Y.Z`
@@ -152,7 +172,7 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
    - Base: `main`
 2. Report the PR URL to the user.
 
-## Step 7: Monitor CI Pipeline
+## Step 8: Monitor CI Pipeline
 
 Poll the CI status using repeated `gh pr checks <PR_NUMBER>` calls. The CI has 4 required jobs: `lint`, `security`, `test`, `release_verification` (release_verification only runs after test passes).
 
@@ -163,7 +183,7 @@ Poll the CI status using repeated `gh pr checks <PR_NUMBER>` calls. The CI has 4
 
 ### If CI PASSES (all checks green):
 
-Continue to Step 8.
+Continue to Step 9. If Step 5 (local pre-flight) was done properly, CI should pass on the first attempt.
 
 ### If CI FAILS:
 
@@ -173,32 +193,32 @@ Continue to Step 8.
    gh run view <RUN_ID> --log-failed | tail -80
    ```
 3. **Common failure: diff coverage** -- If the `test` job fails on "Enforce diff coverage", it means changed source lines lack test coverage. Read the error to identify uncovered files/lines, write tests, and add them to the release commit.
-4. **Common failure: Gemfile.lock frozen** -- If `bundle install` fails in CI with "frozen mode", you forgot to run `bundle install` locally (Step 4).
-5. Present failure details to the user and ask what to do:
-   - "Fix the issues and re-push" -- Fix issues, amend the commit (`git commit --amend --no-edit`), force push (`git push --force-with-lease --no-verify origin release/vX.Y.Z`), and restart CI monitoring.
+4. **Common failure: Gemfile.lock frozen** -- If `bundle install` fails in CI with "frozen mode", you forgot to run `bundle install` locally (Step 4). Amend the commit with the updated lockfile.
+5. **Common failure: RuboCop lint** -- If the `lint` job fails, a RuboCop violation slipped through. This should have been caught in Step 5.
+6. **IMPORTANT: When fixing CI failures, run ALL local checks again before re-pushing.** Don't just fix the one failure — run `bin/rubocop` AND `PARALLEL_WORKERS=1 bin/rails test` to catch cascading issues. In v0.7.0, fixing a diff coverage failure introduced a RuboCop violation, requiring a third CI cycle.
+7. Present failure details to the user and ask what to do:
+   - "Fix the issues and re-push" -- Fix issues, run ALL local checks (rubocop + tests), amend the commit (`git commit --amend --no-edit`), force push (`git push --force-with-lease --no-verify origin release/vX.Y.Z`), and restart CI monitoring.
    - "Close the PR and abort" -- Close the PR, delete the branch, switch back to main.
    - "Investigate manually" -- Stop and let the user handle it.
 
 **Note on force pushes**: When force-pushing the release branch after amending, always use `--no-verify` because the pre-push hook will see the diff between old and new branch tips, and `VERSION` won't appear as changed (it's the same in both). This is expected and safe.
 
-## Step 8: Auto-Merge PR
+## Step 9: Auto-Merge PR
 
 Once CI is green:
 
 1. Merge the PR: `gh pr merge <PR_NUMBER> --merge --delete-branch`
+   - The `--delete-branch` flag also fetches and fast-forwards local main in most cases.
 
-2. **Sync local main with remote** (this is the tricky part):
-   - The merge creates a merge commit on origin/main that doesn't exist locally.
-   - Local main may have different commits (pre-squash) than what was merged.
+2. **Sync local main with remote**:
    - Switch to main: `git checkout main`
-   - Try `git pull origin main`. If it fails with conflicts or divergence:
-     - Ask the user to run `git reset --hard origin/main` (the sandbox blocks this command).
-     - Explain this is safe because the PR is merged and all changes are on origin/main.
-   - Verify with `git log --oneline -3` that local matches remote.
+   - The `gh pr merge` command usually auto-syncs local main via fast-forward. Verify with `git log --oneline -3` that local matches remote (`git rev-parse HEAD` == `git rev-parse origin/main`).
+   - If local is behind or diverged, try `git pull origin main`.
+   - If pull fails with conflicts or divergence (rare): ask the user to run `git reset --hard origin/main` (the sandbox blocks this command). Explain this is safe because the PR is merged and all changes are on origin/main.
 
 3. Report: "PR #N merged successfully."
 
-## Step 9: Tag the Release
+## Step 10: Tag the Release
 
 1. Verify you're on main and synced with origin.
 2. Create an annotated tag:
@@ -212,14 +232,17 @@ Once CI is green:
    ```
 5. Report the release URL.
 
-## Step 10: Build the Gem
+## Step 11: Build the Gem
 
-1. Clean any old gem files: `ls source_monitor-*.gem` and remove them if found (don't error if none exist).
+1. Clean any old gem files. **Note**: zsh fails on `rm -f *.gem` when no files match due to `nomatch`. Use:
+   ```
+   find . -maxdepth 1 -name 'source_monitor-*.gem' -delete
+   ```
 2. Build the gem: `gem build source_monitor.gemspec`
 3. Verify the gem was built: check for `source_monitor-X.Y.Z.gem` in the project root.
 4. Show the file size: `ls -la source_monitor-X.Y.Z.gem`
 
-## Step 11: Gem Push Instructions
+## Step 12: Gem Push Instructions
 
 Present the final instructions to the user:
 

data/.gitignore

@@ -22,3 +22,10 @@
 .vbw-planning/.claude-md-migrated
 .vbw-planning/.watchdog-pid
 .vbw-planning/.watchdog.log
+.vbw-planning/.agent-pids
+.vbw-planning/.agent-panes
+.vbw-planning/.active-agent
+.vbw-planning/.active-agent-count
+.vbw-planning/.todo-flat-migrated
+/codebase_analysis.md
+*.gem

data/.vbw-planning/ROADMAP.md

@@ -0,0 +1,53 @@
+# Roadmap
+
+## Milestone: aia-ssl-fix
+
+### Phases
+
+1. [x] **AIA Certificate Resolution** -- Fix SSL failures for feeds with missing intermediate certificates by implementing AIA (Authority Information Access) resolution
+2. [x] **Test Performance** -- Reduce test suite runtime from ~133s to ~50s by splitting monolithic test classes, enabling parallelism, reducing log IO, and adopting before_all
+
+### Phase Details
+
+#### Phase 1: AIA Certificate Resolution
+
+**Goal:** Implement automatic AIA intermediate certificate fetching so feeds like netflixtechblog.com (served via Medium/AWS with wrong intermediates) succeed without manual cert configuration.
+
+**Requirements:**
+- REQ-AIA-01: Create AIAResolver module with thread-safe cache and 1-hour TTL
+- REQ-AIA-02: Add cert_store: parameter to HTTP.client for custom cert stores
+- REQ-AIA-03: On Faraday::SSLError, attempt AIA resolution before failing
+- REQ-AIA-04: Best-effort only -- never make things worse (rescue StandardError -> nil)
+
+**Success Criteria:**
+- [ ] AIAResolver.resolve(hostname) fetches leaf cert, extracts AIA URL, downloads intermediate
+- [ ] HTTP.client(cert_store:) accepts and uses custom cert stores
+- [ ] FeedFetcher retries once with AIA-resolved cert store on SSL failure
+- [ ] All existing tests pass (1003+), new tests cover AIA paths
+- [ ] RuboCop zero offenses, Brakeman zero warnings
+
+#### Phase 2: Test Performance
+
+**Goal:** Reduce test suite wall-clock time from ~133s to ~50s through structural optimizations. The 3-agent investigation identified that FeedFetcherTest (71 tests, 84.8s, 64% of total) is a monolithic class that cannot be parallelized, integration tests add 31s, and 95MB of debug logging adds 5-15s.
+
+**Requirements:**
+- REQ-PERF-01: Split FeedFetcherTest into 5+ smaller classes by concern (success paths, error handling, adaptive interval, dirty-check, content fingerprint, utilities)
+- REQ-PERF-02: Set test log level to :warn in test/dummy/config/environments/test.rb (eliminates 95MB log IO)
+- REQ-PERF-03: Tag integration tests (host_install_flow, release_packaging) so they can be excluded during dev with --exclude-pattern
+- REQ-PERF-04: Switch default parallelism from forks to threads (avoids PG segfault, enables splitting benefit)
+- REQ-PERF-05: Adopt before_all/setup_once in top DB-heavy test files (dashboard/queries_test.rb, etc.)
+
+**Success Criteria:**
+- [ ] FeedFetcherTest split into 5+ files, each independently runnable
+- [ ] All 1031+ tests pass with PARALLEL_WORKERS=1 and default workers
+- [ ] Test suite completes in <70s locally (down from 133s)
+- [ ] `bin/rails test --exclude-pattern="**/integration/**"` runs <50s
+- [ ] RuboCop zero offenses, Brakeman zero warnings
+- [ ] No test isolation regressions (parallel runs still green)
+
+### Progress
+
+| Phase | Status | Plans | Completed |
+|-------|--------|-------|-----------|
+| 1. AIA Certificate Resolution | Complete | 3 | 3 |
+| 2. Test Performance | Complete | 4 | 4 |

data/.vbw-planning/STATE.md

@@ -0,0 +1,27 @@
+# State
+
+## Current Position
+
+- **Milestone:** aia-ssl-fix
+- **Phase:** 2 -- Test Performance
+- **Status:** Complete
+- **Progress:** 100%
+
+## Decisions
+
+| Decision | Date | Context |
+|----------|------|---------|
+| Single-phase milestone for AIA fix | 2026-02-17 | Complete plan already validated; no scoping needed |
+| 3 plans with wave parallelism | 2026-02-17 | Plans 01+02 (wave 1, disjoint files), Plan 03 (wave 2, integration) |
+
+## Todos
+
+## Metrics
+
+- **Started:** 2026-02-17
+- **Phases:** 1
+- **Plans:** 3
+- **Tests at start:** 1003
+- **Tests at end:** 1025
+- **Commits:** 4 (f60e9bf, 4c9568a, 9c38bc3, e68a6b0)
+- **Plans completed:** 3/3

data/.vbw-planning/phases/01-aia-certificate-resolution/.context-dev.md

@@ -0,0 +1,17 @@
+## Phase 1 Context
+
+### Goal
+Not available
+
+### Codebase Map Available
+Codebase mapping exists in `.vbw-planning/codebase/`. Key files:
+- `ARCHITECTURE.md`
+- `CONCERNS.md`
+- `PATTERNS.md`
+- `DEPENDENCIES.md`
+- `STRUCTURE.md`
+- `CONVENTIONS.md`
+- `TESTING.md`
+- `STACK.md`
+
+Read CONVENTIONS.md, PATTERNS.md, STRUCTURE.md, and DEPENDENCIES.md first to bootstrap codebase understanding.

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-01-SUMMARY.md

@@ -0,0 +1,26 @@
+---
+phase: 1
+plan: 1
+status: complete
+---
+# Plan 01 Summary: AIA Resolver Module
+
+## Tasks Completed
+- [x] Task 1: Created lib/source_monitor/http/aia_resolver.rb
+- [x] Task 2: Created test/lib/source_monitor/http/aia_resolver_test.rb
+
+## Commits
+- 4c9568a: feat(1-1): add AIA intermediate certificate resolver
+
+## Files Modified
+- lib/source_monitor/http/aia_resolver.rb (created)
+- test/lib/source_monitor/http/aia_resolver_test.rb (created)
+
+## What Was Built
+- `SourceMonitor::HTTP::AIAResolver` module with thread-safe cached resolution of missing intermediate SSL certificates via AIA (Authority Information Access) X.509 extension
+- Public API: `resolve(hostname)`, `enhanced_cert_store(certs)`, `clear_cache!`, `cache_size`
+- Private methods: `fetch_leaf_certificate` (VERIFY_NONE + SNI), `extract_aia_url` (uses `cert.ca_issuer_uris`), `download_certificate` (DER-first, PEM fallback)
+- 11 unit tests covering all public/private methods, caching, TTL expiration, and error handling
+
+## Deviations
+- None

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-01.md

@@ -0,0 +1,71 @@
+---
+phase: 1
+plan: 1
+title: "AIA Resolver Module"
+wave: 1
+depends_on: []
+must_haves:
+  - AIAResolver module with resolve, enhanced_cert_store, clear_cache!, cache_size
+  - Thread-safe Mutex + Hash cache with 1-hour TTL per hostname
+  - fetch_leaf_certificate with VERIFY_NONE and SNI support
+  - extract_aia_url using cert.ca_issuer_uris (not regex)
+  - download_certificate with DER-first, PEM-fallback parsing
+  - All methods rescue StandardError and return nil
+  - Unit tests covering all public and private methods
+---
+
+# Plan 01: AIA Resolver Module
+
+## Goal
+
+Create `SourceMonitor::HTTP::AIAResolver` -- a standalone module that resolves missing intermediate certificates via the AIA (Authority Information Access) extension in X.509 certificates.
+
+## Tasks
+
+### Task 1: Create lib/source_monitor/http/aia_resolver.rb
+
+Create new module `SourceMonitor::HTTP::AIAResolver` with class methods:
+
+**Public API:**
+- `resolve(hostname, port: 443)` -- Entry point. Checks cache first, then: fetch leaf cert -> extract AIA URL -> download intermediate. Returns `OpenSSL::X509::Certificate` or `nil`.
+- `enhanced_cert_store(additional_certs)` -- Builds `OpenSSL::X509::Store` with `set_default_paths` plus extra certs from the array.
+- `clear_cache!` -- Clears the hostname cache (for testing).
+- `cache_size` -- Returns number of cached entries (for testing).
+
+**Private methods:**
+- `fetch_leaf_certificate(hostname, port)` -- TCP+SSL connect with `VERIFY_NONE` to get the server's leaf cert. 5s connect timeout. Uses `ssl_socket.hostname=` for SNI.
+- `extract_aia_url(cert)` -- Uses Ruby's built-in `cert.ca_issuer_uris` method. Returns first URI string or nil.
+- `download_certificate(url)` -- Plain HTTP GET (AIA URLs are always HTTP, not HTTPS). 5s timeout. Parses DER body as `OpenSSL::X509::Certificate`, falls back to PEM on failure.
+
+**Cache:** `Mutex` + `Hash` keyed by hostname. Each entry stores `{ cert:, expires_at: }` with 1-hour TTL.
+
+**Safety:** All methods rescue `StandardError` and return `nil`. This is best-effort -- never makes things worse.
+
+### Task 2: Create test/lib/source_monitor/http/aia_resolver_test.rb
+
+Unit tests:
+- `extract_aia_url` with cert that has AIA extension returns URL
+- `extract_aia_url` with cert without AIA returns nil
+- `download_certificate` with DER body parses correctly (WebMock stub)
+- `download_certificate` returns nil on HTTP 404 (WebMock)
+- `download_certificate` returns nil on timeout (WebMock)
+- `enhanced_cert_store` returns store with added certs
+- `enhanced_cert_store` handles empty array gracefully
+- Cache: resolve stores result, second call returns cached
+- Cache: expired entries are re-fetched
+- `clear_cache!` empties the cache
+- `resolve` returns nil when hostname unreachable (stub fetch_leaf_certificate)
+
+## Files
+
+| Action | Path |
+|--------|------|
+| CREATE | `lib/source_monitor/http/aia_resolver.rb` |
+| CREATE | `test/lib/source_monitor/http/aia_resolver_test.rb` |
+
+## Verification
+
+```bash
+PARALLEL_WORKERS=1 bin/rails test test/lib/source_monitor/http/aia_resolver_test.rb
+bin/rubocop lib/source_monitor/http/aia_resolver.rb test/lib/source_monitor/http/aia_resolver_test.rb
+```

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-02-SUMMARY.md

@@ -0,0 +1,16 @@
+---
+phase: 1
+plan: 2
+status: complete
+commit: f60e9bf
+---
+
+## What Was Built
+- Added `cert_store:` keyword parameter to `HTTP.client` for custom OpenSSL cert stores
+- Added `autoload :AIAResolver` to HTTP module
+- Plumbed cert_store through `configure_request` -> `configure_ssl` with fallback to `default_cert_store`
+- 2 new tests: custom cert_store usage, ssl_ca_file takes precedence over cert_store
+
+## Files Modified
+- `lib/source_monitor/http.rb` — autoload, cert_store param, SSL plumbing
+- `test/lib/source_monitor/http_test.rb` — 2 new cert_store tests

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-02.md

@@ -0,0 +1,56 @@
+---
+phase: 1
+plan: 2
+title: "HTTP Module cert_store Parameter"
+wave: 1
+depends_on: []
+must_haves:
+  - Add autoload :AIAResolver to module HTTP
+  - Add cert_store keyword to client method
+  - Pass cert_store through configure_request to configure_ssl
+  - configure_ssl uses cert_store when no ssl_ca_file/ssl_ca_path
+  - Tests for cert_store parameter usage
+---
+
+# Plan 02: HTTP Module cert_store Parameter
+
+## Goal
+
+Extend `SourceMonitor::HTTP.client` to accept an optional `cert_store:` parameter, enabling callers (like FeedFetcher's AIA retry) to provide a custom `OpenSSL::X509::Store` with additional certificates.
+
+## Tasks
+
+### Task 1: Modify lib/source_monitor/http.rb
+
+1. Add autoload inside `module HTTP` (after RETRY_STATUSES):
+   ```ruby
+   autoload :AIAResolver, "source_monitor/http/aia_resolver"
+   ```
+
+2. Add `cert_store: nil` keyword to `client` method signature.
+
+3. Pass `cert_store:` through `configure_request` to `configure_ssl`:
+   - Add `cert_store:` parameter to `configure_request`
+   - Pass it to `configure_ssl(connection, settings, cert_store:)`
+
+4. In `configure_ssl`: when no `ssl_ca_file` or `ssl_ca_path` is set, use `cert_store || default_cert_store`.
+
+### Task 2: Add tests to test/lib/source_monitor/http_test.rb
+
+Add 2 tests:
+- `cert_store: param is used when no ssl_ca_file or ssl_ca_path` -- pass a custom store, verify `connection.ssl.cert_store` is the custom store
+- `cert_store: is ignored when ssl_ca_file is set` -- configure ssl_ca_file, pass cert_store, verify ca_file takes precedence
+
+## Files
+
+| Action | Path |
+|--------|------|
+| MODIFY | `lib/source_monitor/http.rb` |
+| MODIFY | `test/lib/source_monitor/http_test.rb` |
+
+## Verification
+
+```bash
+PARALLEL_WORKERS=1 bin/rails test test/lib/source_monitor/http_test.rb
+bin/rubocop lib/source_monitor/http.rb test/lib/source_monitor/http_test.rb
+```

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-03-SUMMARY.md

@@ -0,0 +1,17 @@
+---
+phase: 1
+plan: 3
+status: complete
+commit: 9c38bc3
+---
+
+## What Was Built
+- Wired AIA certificate resolution into FeedFetcher's SSL error handling
+- On `Faraday::SSLError`, attempts intermediate cert recovery via `AIAResolver.resolve` before raising
+- Guard flag `@aia_attempted` prevents infinite recursion; `rescue StandardError => nil` ensures recovery never makes things worse
+- Tags `instrumentation_payload[:aia_resolved] = true` on successful AIA recovery
+- 3 integration tests: success retry path, nil fallback to ConnectionError, non-SSL skip
+
+## Files Modified
+- `lib/source_monitor/fetching/feed_fetcher.rb` — split SSL rescue, add `attempt_aia_recovery`
+- `test/lib/source_monitor/fetching/feed_fetcher_test.rb` — 3 AIA resolution tests

data/.vbw-planning/phases/01-aia-certificate-resolution/PLAN-03.md

@@ -0,0 +1,98 @@
+---
+phase: 1
+plan: 3
+title: "FeedFetcher AIA Retry Integration"
+wave: 2
+depends_on: [1, 2]
+must_haves:
+  - Separate Faraday::SSLError rescue from Faraday::ConnectionFailed
+  - On SSLError attempt AIA resolution once (aia_attempted flag)
+  - Parse hostname from source.feed_url for AIA resolve
+  - If intermediate found rebuild connection with enhanced cert store and retry
+  - If nil raise ConnectionError as before
+  - Tag successful recoveries with aia_resolved in instrumentation
+  - Integration tests for all AIA retry paths
+  - Full test suite passes (1003+ tests)
+  - RuboCop zero offenses
+  - Brakeman zero warnings
+---
+
+# Plan 03: FeedFetcher AIA Retry Integration
+
+## Goal
+
+Wire AIA resolution into FeedFetcher's error handling so SSL failures automatically attempt intermediate certificate recovery before giving up.
+
+## Tasks
+
+### Task 1: Modify lib/source_monitor/fetching/feed_fetcher.rb
+
+Modify `perform_fetch` (lines 77-90):
+
+1. **Split rescue clause:** Separate `Faraday::SSLError` from `Faraday::ConnectionFailed` into its own rescue:
+   ```ruby
+   rescue Faraday::ConnectionFailed => error
+     raise ConnectionError.new(error.message, original_error: error)
+   rescue Faraday::SSLError => error
+     attempt_aia_recovery(error) || raise(ConnectionError.new(error.message, original_error: error))
+   ```
+
+2. **Add `attempt_aia_recovery` private method:**
+   - Guard: return nil if `@aia_attempted` is true (prevents recursion)
+   - Set `@aia_attempted = true`
+   - Parse hostname from `URI.parse(source.feed_url).host`
+   - Call `SourceMonitor::HTTP::AIAResolver.resolve(hostname)`
+   - If intermediate found:
+     - Build enhanced cert store via `AIAResolver.enhanced_cert_store([intermediate])`
+     - Rebuild `@connection = SourceMonitor::HTTP.client(cert_store: store, headers: request_headers)`
+     - Return `perform_request` (the retry)
+   - If nil: return nil (caller raises ConnectionError)
+   - Rescue StandardError -> nil (never make retry worse)
+
+3. **Tag instrumentation:** In the `handle_response` path after successful AIA retry, the `instrumentation_payload[:aia_resolved] = true` will naturally flow through since `perform_fetch` calls `handle_response` on the retried response.
+
+### Task 2: Add tests to test/lib/source_monitor/fetching/feed_fetcher_test.rb
+
+Add 3 tests under a new section `# -- AIA Certificate Resolution --`:
+
+1. **SSL error + AIA resolve succeeds -> fetch succeeds:**
+   - First stub: raise `Faraday::SSLError`
+   - Stub `AIAResolver.resolve` to return a mock certificate
+   - Stub `AIAResolver.enhanced_cert_store` to return a store
+   - Second stub (after retry): return 200 with RSS body
+   - Assert result.status == :fetched
+
+2. **SSL error + AIA resolve returns nil -> ConnectionError:**
+   - Stub to raise `Faraday::SSLError`
+   - Stub `AIAResolver.resolve` to return nil
+   - Assert result.status == :failed
+   - Assert result.error is ConnectionError
+
+3. **Non-SSL ConnectionError -> AIA not attempted:**
+   - Stub to raise `Faraday::ConnectionFailed`
+   - Verify `AIAResolver.resolve` was NOT called
+   - Assert result.status == :failed
+   - Assert result.error is ConnectionError
+
+### Task 3: Run full verification
+
+1. `PARALLEL_WORKERS=1 bin/rails test test/lib/source_monitor/fetching/feed_fetcher_test.rb`
+2. `bin/rails test` (full suite)
+3. `bin/rubocop`
+4. `bin/brakeman --no-pager`
+
+## Files
+
+| Action | Path |
+|--------|------|
+| MODIFY | `lib/source_monitor/fetching/feed_fetcher.rb` |
+| MODIFY | `test/lib/source_monitor/fetching/feed_fetcher_test.rb` |
+
+## Verification
+
+```bash
+PARALLEL_WORKERS=1 bin/rails test test/lib/source_monitor/fetching/feed_fetcher_test.rb
+bin/rails test
+bin/rubocop
+bin/brakeman --no-pager
+```

data/.vbw-planning/phases/02-test-performance/.context-dev.md

@@ -0,0 +1,75 @@
+## Phase 02 Context
+
+### Goal
+Not available
+
+### Codebase Map Available
+Codebase mapping exists in `.vbw-planning/codebase/`. Key files:
+- `ARCHITECTURE.md`
+- `CONCERNS.md`
+- `PATTERNS.md`
+- `DEPENDENCIES.md`
+- `STRUCTURE.md`
+- `CONVENTIONS.md`
+- `TESTING.md`
+- `STACK.md`
+
+Read CONVENTIONS.md, PATTERNS.md, STRUCTURE.md, and DEPENDENCIES.md first to bootstrap codebase understanding.
+
+### Research Findings
+# Phase 2: Test Performance - Research
+
+## Investigation Method
+3-agent competing hypothesis team (H1: DB/parallelism, H2: HTTP/VCR, H3: test helpers)
+
+## Findings
+
+### Time Budget (133s total, 1031 tests)
+| Component | Time | % | Root Cause |
+|-----------|------|---|------------|
+| FeedFetcherTest (71 tests) | 84.8s | 64% | Monolithic class, CPU-bound (Feedjira parse, SHA256, content extraction) |
+| Integration tests (9 tests) | 30.8s | 23% | Subprocess spawning (bundle exec rails g) |
+| System tests (22 tests) | ~5s | 4% | Selenium/Chrome |
+| Debug log IO | 5-15s | 8% | 95MB :debug output to disk |
+| Everything else (~930 tests) | ~15s | 11% | Fast |
+
+### Why Parallelism Doesn't Help Today
+- Minitest distributes by CLASS, not by test
+- FeedFetcherTest = 1 class with 71 tests = 1 worker gets all 84.8s
+- With 8 workers: max(84.8, 25.6, ~3) ≈ 85s + overhead
+
+### DB Is NOT the Bottleneck
+- SQL: 3.639s of 69.4s (5.25%) via EventProf
+- schema.rb used (fast load)
+- Transactional tests enabled (proper rollback)
+
+### HTTP Mocking Is NOT the Bottleneck
+- Only 4 VCR cassettes (456KB total), 83 WebMock stubs across 9 files
+- WebMock configured once globally, auto-resets
+- Only finding: default_cert_store recreated per connection (~0.5s total)
+
+### Test Helpers Are Cheap
+- reset_configuration!: microseconds per call (pure Ruby)
+- create_source!: 1 INSERT per call, 158 calls total
+- with_inline_jobs: 4 calls total, negligible
+
+### Profiling Data (tmp/test_prof/)
+- TagProf: lib tests 38.0s (55%), integration 28.5s (41%), controllers 0.97s, jobs 0.53s, models 0.47s
+- EventProf: FeedFetcherTest 0.888s SQL in 34.3s total (2.6% SQL)
+
+## Relevant Patterns
+- TestProf before_all available but used in only 1 of 54 eligible files
+- Thread-based parallelism already proven in coverage mode
+- PG fork segfault only on single-file runs, NOT full suite
+
+## Risks
+- Thread safety: reset_configuration! may need thread-local config or mutex
+- Test isolation: splitting FeedFetcherTest must preserve test independence
+- before_all: only safe for tests that don't mutate shared data
+
+## Recommendations (by impact)
+1. Split FeedFetcherTest into 5-6 classes → enables parallelism, -50s
+2. Set config.log_level = :warn → -5-15s
+3. Tag/skip integration tests in dev → -30s dev experience
+4. Switch to thread-based parallelism → enables splitting benefit
+5. Adopt before_all in DB-heavy test files → -3-5s