source_monitor 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b65480547bf48a4cabf2d1c98dbd6c965a6b7342c3da362b3987b1bed3e59a5d
-  data.tar.gz: 775abb18c5c94b5cf11e78e01c296a618c7ef884cb328f4f5f886c2d144c2f75
+  metadata.gz: 932dca7d7b8f754262dd37aac3cf722aee017ec53e662116dd97527ec2a8a1f3
+  data.tar.gz: 7d6ff568a5e3eb1cf5269736771474f19da9e82b18759232b03855735f284819
 SHA512:
-  metadata.gz: f75e313708962d167d7b362ed4f8af42be433e28d5a9e1aa59f290d82ed12103800abaf2f904098211c351f7c3b9265af05363d2364f477e22af3e7de2bc9755
-  data.tar.gz: ab0e7911a85c744f632d2fad3dbeb671ddb55b3e1f4cc0ed3a0dbc859e2dad21ccacdec8aff7ee45445cf84f3cfb3ddaf2ba803a7e533cacdc14b8cb3ee61ab6
+  metadata.gz: 1318387b90d5811d52fc5d852a2be9578515a0d69f77baa90ecc1fbab930a3d2067a1e7056f8d2bd15940de2c0799e147203b31e4d91784e3078fb0fa8edc6e5
+  data.tar.gz: b35f81be14c230f1865642b5aa9f8fd462791c8fe3db293bf0f6326f2fc9fc1295eaef5f9899488d298e01e6eb3e6b316c00ed53595341a17973edd50cbb7b10

data/.claude/commands/release.md

@@ -15,8 +15,10 @@ These are real issues encountered in previous releases. Each step below accounts
 3. **VBW volatile files**: Files in `.vbw-planning/` (`.cost-ledger.json`, `.notification-log.jsonl`, `.session-log.jsonl`, `.hook-errors.log`) are continuously modified by VBW hooks. They should be in `.gitignore`. If they aren't, add them before proceeding.
 4. **Pre-push hook**: The VBW pre-push hook at `.git/hooks/pre-push` requires the `VERSION` file to appear in the diff for any push. For new branches, it compares the commit against the working tree -- any dirty files will trigger a false positive. For force-pushes to existing branches where `VERSION` hasn't changed since the last push, use `--no-verify`.
 5. **Single squashed commit**: Always create ONE commit on the release branch with ALL changes (version bump, changelog, Gemfile.lock, any fixes). Multiple commits cause pre-push hook issues.
-6. **Diff coverage CI gate**: The `test` CI job enforces diff coverage. Any changed lines in source code (not just test files) must have test coverage. If you change source code during the release (e.g., bug fixes), you must add corresponding tests.
-7. **Local main divergence after merge**: After the PR merges, local main will have different commits than origin/main (pre-squash vs merged). You must `git reset --hard origin/main` to sync -- this requires user approval since the sandbox blocks it.
+6. **Diff coverage CI gate**: The `test` CI job enforces diff coverage. Any changed lines in source code (not just test files) must have test coverage. **This applies to ALL changes in the PR diff vs main, including unpushed commits made before the release started.** If the release includes source code changes (bug fixes, features), every changed source line must be covered.
+7. **Local main divergence after merge**: After the PR merges, `gh pr merge --merge --delete-branch` will attempt to fast-forward local main. This usually succeeds automatically. If it doesn't (divergent history), you must `git reset --hard origin/main` to sync -- this requires user approval since the sandbox blocks it.
+8. **Run local checks BEFORE pushing**: Always run `bin/rubocop` and `PARALLEL_WORKERS=1 bin/rails test` locally before the first push to the release branch. Each CI roundtrip (fail → fix → amend → force-push → re-run) costs ~5 minutes. In v0.7.0, skipping local checks caused two wasted CI cycles: first for uncovered diff lines, then for a RuboCop violation in the fix.
+9. **Zsh glob nomatch**: Commands like `rm -f *.gem` fail in zsh when no files match. Always use `rm -f *.gem 2>/dev/null || true` or check existence first with `ls`.
 
 ## Step 1: Git Hygiene
 
@@ -112,7 +114,25 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
 2. Verify the output shows the new version: `Using source_monitor X.Y.Z (was X.Y.Z-1)`.
 3. If `bundle install` fails, resolve the issue before proceeding.
 
-## Step 5: Create Release Branch with Single Squashed Commit
+## Step 5: Local Pre-flight Checks
+
+**CRITICAL**: Run these checks BEFORE creating the release branch and pushing. Each CI failure → fix → amend → force-push cycle wastes ~5 minutes. In v0.7.0, skipping this step caused two wasted CI roundtrips.
+
+1. **RuboCop**: Run `bin/rubocop` and fix any violations. Auto-fix with `bin/rubocop -a` if needed. This catches lint issues (like `SpaceInsideArrayLiteralBrackets`) that would fail the CI lint job.
+
+2. **Tests**: Run `PARALLEL_WORKERS=1 bin/rails test` and ensure all tests pass.
+
+3. **Diff coverage pre-check**: If the release includes source code changes beyond version/changelog/lockfile (check with `git diff --name-only origin/main`), review those files for uncovered branches. The CI diff coverage gate will reject any changed source lines without test coverage. Common blind spots:
+   - Fallback/else branches in new methods
+   - Error handling paths
+   - Guard clauses
+   If you find uncovered source lines, write tests for them NOW before creating the release commit — it's far cheaper than a CI roundtrip.
+
+4. **Brakeman**: Run `bin/brakeman --no-pager` and ensure zero warnings.
+
+Only proceed to Step 6 when all local checks pass.
+
+## Step 6: Create Release Branch with Single Squashed Commit
 
 **IMPORTANT**: All release changes MUST be in a single commit on the release branch. This avoids pre-push hook issues where individual commits are checked for VERSION changes.
 
@@ -124,13 +144,13 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
    Also stage any other files that were changed (updated skills, docs, etc.).
 3. Create a single commit:
    ```
-   chore: release vX.Y.Z
+   chore(release): release vX.Y.Z
    ```
 4. Push the branch: `git push -u origin release/vX.Y.Z`
    - If the pre-push hook blocks with a false positive (e.g., VBW files dirty in working tree despite being gitignored), use `git push -u --no-verify origin release/vX.Y.Z`. This is safe because we've verified VERSION is in the commit.
 5. If the push fails for other reasons, diagnose and fix before proceeding.
 
-## Step 6: Create PR
+## Step 7: Create PR
 
 1. Create the PR using `gh pr create`:
    - Title: `Release vX.Y.Z`
@@ -152,7 +172,7 @@ The changelog follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) f
    - Base: `main`
 2. Report the PR URL to the user.
 
-## Step 7: Monitor CI Pipeline
+## Step 8: Monitor CI Pipeline
 
 Poll the CI status using repeated `gh pr checks <PR_NUMBER>` calls. The CI has 4 required jobs: `lint`, `security`, `test`, `release_verification` (release_verification only runs after test passes).
 
@@ -163,7 +183,7 @@ Poll the CI status using repeated `gh pr checks <PR_NUMBER>` calls. The CI has 4
 
 ### If CI PASSES (all checks green):
 
-Continue to Step 8.
+Continue to Step 9. If Step 5 (local pre-flight) was done properly, CI should pass on the first attempt.
 
 ### If CI FAILS:
 
@@ -173,32 +193,32 @@ Continue to Step 8.
    gh run view <RUN_ID> --log-failed | tail -80
    ```
 3. **Common failure: diff coverage** -- If the `test` job fails on "Enforce diff coverage", it means changed source lines lack test coverage. Read the error to identify uncovered files/lines, write tests, and add them to the release commit.
-4. **Common failure: Gemfile.lock frozen** -- If `bundle install` fails in CI with "frozen mode", you forgot to run `bundle install` locally (Step 4).
-5. Present failure details to the user and ask what to do:
-   - "Fix the issues and re-push" -- Fix issues, amend the commit (`git commit --amend --no-edit`), force push (`git push --force-with-lease --no-verify origin release/vX.Y.Z`), and restart CI monitoring.
+4. **Common failure: Gemfile.lock frozen** -- If `bundle install` fails in CI with "frozen mode", you forgot to run `bundle install` locally (Step 4). Amend the commit with the updated lockfile.
+5. **Common failure: RuboCop lint** -- If the `lint` job fails, a RuboCop violation slipped through. This should have been caught in Step 5.
+6. **IMPORTANT: When fixing CI failures, run ALL local checks again before re-pushing.** Don't just fix the one failure — run `bin/rubocop` AND `PARALLEL_WORKERS=1 bin/rails test` to catch cascading issues. In v0.7.0, fixing a diff coverage failure introduced a RuboCop violation, requiring a third CI cycle.
+7. Present failure details to the user and ask what to do:
+   - "Fix the issues and re-push" -- Fix issues, run ALL local checks (rubocop + tests), amend the commit (`git commit --amend --no-edit`), force push (`git push --force-with-lease --no-verify origin release/vX.Y.Z`), and restart CI monitoring.
    - "Close the PR and abort" -- Close the PR, delete the branch, switch back to main.
    - "Investigate manually" -- Stop and let the user handle it.
 
 **Note on force pushes**: When force-pushing the release branch after amending, always use `--no-verify` because the pre-push hook will see the diff between old and new branch tips, and `VERSION` won't appear as changed (it's the same in both). This is expected and safe.
 
-## Step 8: Auto-Merge PR
+## Step 9: Auto-Merge PR
 
 Once CI is green:
 
 1. Merge the PR: `gh pr merge <PR_NUMBER> --merge --delete-branch`
+   - The `--delete-branch` flag also fetches and fast-forwards local main in most cases.
 
-2. **Sync local main with remote** (this is the tricky part):
-   - The merge creates a merge commit on origin/main that doesn't exist locally.
-   - Local main may have different commits (pre-squash) than what was merged.
+2. **Sync local main with remote**:
    - Switch to main: `git checkout main`
-   - Try `git pull origin main`. If it fails with conflicts or divergence:
-     - Ask the user to run `git reset --hard origin/main` (the sandbox blocks this command).
-     - Explain this is safe because the PR is merged and all changes are on origin/main.
-   - Verify with `git log --oneline -3` that local matches remote.
+   - The `gh pr merge` command usually auto-syncs local main via fast-forward. Verify with `git log --oneline -3` that local matches remote (`git rev-parse HEAD` == `git rev-parse origin/main`).
+   - If local is behind or diverged, try `git pull origin main`.
+   - If pull fails with conflicts or divergence (rare): ask the user to run `git reset --hard origin/main` (the sandbox blocks this command). Explain this is safe because the PR is merged and all changes are on origin/main.
 
 3. Report: "PR #N merged successfully."
 
-## Step 9: Tag the Release
+## Step 10: Tag the Release
 
 1. Verify you're on main and synced with origin.
 2. Create an annotated tag:
@@ -212,14 +232,17 @@ Once CI is green:
    ```
 5. Report the release URL.
 
-## Step 10: Build the Gem
+## Step 11: Build the Gem
 
-1. Clean any old gem files: `ls source_monitor-*.gem` and remove them if found (don't error if none exist).
+1. Clean any old gem files. **Note**: zsh fails on `rm -f *.gem` when no files match due to `nomatch`. Use:
+   ```
+   find . -maxdepth 1 -name 'source_monitor-*.gem' -delete
+   ```
 2. Build the gem: `gem build source_monitor.gemspec`
 3. Verify the gem was built: check for `source_monitor-X.Y.Z.gem` in the project root.
 4. Show the file size: `ls -la source_monitor-X.Y.Z.gem`
 
-## Step 11: Gem Push Instructions
+## Step 12: Gem Push Instructions
 
 Present the final instructions to the user:
 

data/.claude/skills/sm-configure/SKILL.md

@@ -29,7 +29,7 @@ After the block executes, `ModelExtensions.reload!` runs automatically to apply
 
 ## Configuration Sections
 
-The `config` object (`SourceMonitor::Configuration`) has 11 sub-sections plus top-level queue/job settings:
+The `config` object (`SourceMonitor::Configuration`) has 13 sub-sections plus top-level queue/job settings:
 
 | Section | Accessor | Class |
 |---|---|---|
@@ -45,6 +45,7 @@ The `config` object (`SourceMonitor::Configuration`) has 11 sub-sections plus to
 | Realtime | `config.realtime` | `RealtimeSettings` |
 | Authentication | `config.authentication` | `AuthenticationSettings` |
 | Images | `config.images` | `ImagesSettings` |
+| Favicons | `config.favicons` | `FaviconsSettings` |
 
 See `reference/configuration-reference.md` for every setting with types, defaults, and examples.
 
@@ -91,6 +92,14 @@ config.models.source.include_concern "MyApp::SourceExtension"
 config.models.item.validate :custom_check
 ```
 
+### Favicons (Active Storage)
+```ruby
+config.favicons.enabled = true
+config.favicons.fetch_timeout = 10
+config.favicons.max_download_size = 512 * 1024  # 512 KB
+config.favicons.retry_cooldown_days = 14
+```
+
 ### Realtime
 ```ruby
 config.realtime.adapter = :redis

data/.claude/skills/sm-configure/reference/configuration-reference.md

@@ -342,6 +342,50 @@ When enabled, `DownloadContentImagesJob` is automatically enqueued after new ite
 
 ---
 
+## Favicons Settings (`config.favicons`)
+
+Class: `SourceMonitor::Configuration::FaviconsSettings`
+
+Controls automatic favicon fetching and storage for sources via Active Storage.
+
+**Prerequisite:** The host app must have Active Storage installed (`rails active_storage:install` + migrations). Without Active Storage, favicons are silently disabled and colored initials placeholders are shown instead.
+
+| Setting | Type | Default | Description |
+|---|---|---|---|
+| `enabled` | Boolean | `true` | Enable automatic favicon fetching |
+| `fetch_timeout` | Integer | `5` | HTTP timeout for favicon requests (seconds) |
+| `max_download_size` | Integer | `1048576` (1 MB) | Maximum favicon file size in bytes; larger files are skipped |
+| `retry_cooldown_days` | Integer | `7` | Days to wait before retrying a failed favicon fetch |
+| `allowed_content_types` | Array | `["image/x-icon", "image/vnd.microsoft.icon", "image/png", "image/jpeg", "image/gif", "image/svg+xml", "image/webp"]` | Permitted MIME types for downloaded favicons |
+
+### Helper Method
+
+| Method | Returns | Description |
+|---|---|---|
+| `enabled?` | Boolean | Returns `true` when `enabled` is truthy AND `ActiveStorage` is defined |
+
+```ruby
+# Customize favicon settings
+config.favicons.enabled = true
+config.favicons.fetch_timeout = 10
+config.favicons.max_download_size = 512 * 1024  # 512 KB
+config.favicons.retry_cooldown_days = 14
+config.favicons.allowed_content_types = %w[image/png image/x-icon image/svg+xml]
+```
+
+When enabled, `FaviconFetchJob` is automatically enqueued:
+1. After a new source is created (via UI or OPML import) with a `website_url`
+2. After a successful feed fetch when the source has no favicon attached and is outside the retry cooldown
+
+The job uses `Favicons::Discoverer` which tries three strategies in order:
+1. Direct `/favicon.ico` fetch from the source's domain
+2. HTML page parsing for `<link rel="icon">`, `<link rel="apple-touch-icon">`, and similar tags (prefers largest by `sizes` attribute)
+3. Google Favicon API as a last resort
+
+Failed attempts are tracked in the source's `metadata` JSONB column (`favicon_last_attempted_at`) to respect the cooldown period.
+
+---
+
 ## Environment Variables
 
 | Variable | Purpose |

data/.claude/skills/sm-host-setup/reference/initializer-template.md

@@ -176,6 +176,23 @@ SourceMonitor.configure do |config|
   #   record.errors.add(:base, "custom error") unless record.valid_for_my_app?
   # }
 
+  # ===========================================================================
+  # Favicons (Active Storage)
+  # ===========================================================================
+  # Automatically fetch and store source favicons via Active Storage.
+  # Requires Active Storage in the host app (rails active_storage:install).
+  # Without Active Storage, favicons are silently disabled -- colored
+  # initials placeholders are shown instead.
+
+  # config.favicons.enabled = true                    # default: true
+  # config.favicons.fetch_timeout = 5                 # seconds
+  # config.favicons.max_download_size = 1_048_576     # 1 MB
+  # config.favicons.retry_cooldown_days = 7
+  # config.favicons.allowed_content_types = %w[
+  #   image/x-icon image/vnd.microsoft.icon image/png
+  #   image/jpeg image/gif image/svg+xml image/webp
+  # ]
+
   # ===========================================================================
   # Realtime (Action Cable) Adapter
   # ===========================================================================

data/.claude/skills/sm-host-setup/reference/setup-checklist.md

@@ -155,6 +155,8 @@ bin/source_monitor verify
 - [ ] Event callbacks wired for host integration
 - [ ] Realtime adapter confirmed (Solid Cable or Redis)
 - [ ] Mission Control integration enabled (if desired)
+- [ ] Active Storage installed (required for favicons and image downloads)
+- [ ] Favicon settings configured (`config.favicons.*`) if customization needed
 
 ## Troubleshooting
 

data/.claude/skills/sm-job/reference/job-conventions.md

@@ -164,6 +164,32 @@ class ScheduleFetchesJob < ApplicationJob
 end
 ```
 
+### Lightweight Fetch Job (FaviconFetchJob)
+
+Demonstrates multi-strategy cascade with guard clauses:
+
+```ruby
+class FaviconFetchJob < ApplicationJob
+  source_monitor_queue :fetch
+  discard_on ActiveJob::DeserializationError
+
+  def perform(source_id)
+    source = Source.find_by(id: source_id)
+    return unless source
+    return unless should_fetch?(source)
+
+    result = Favicons::Discoverer.new(source: source).call
+    attach_favicon(source, result) if result.success?
+  end
+end
+```
+
+Notable patterns:
+- Multiple guard clauses: source exists, Active Storage defined, no existing favicon, outside cooldown period
+- Uses `Favicons::Discoverer` service with 3-strategy cascade (direct `/favicon.ico`, HTML parsing, Google API)
+- Failed attempts tracked in source `metadata` JSONB (`favicon_last_attempted_at`) for retry cooldown
+- Graceful degradation: host apps without Active Storage never enqueue this job
+
 ### Broadcast Job (SourceHealthCheckJob)
 
 Demonstrates result broadcasting:

data/.claude/skills/sm-upgrade/reference/version-history.md

@@ -2,6 +2,28 @@
 
 Version-specific migration notes for each major/minor version transition. Agents should reference this file when guiding users through multi-version upgrades.
 
+## 0.7.x to 0.8.0
+
+**Key changes:**
+- Default HTTP User-Agent changed from `SourceMonitor/<version>` to `Mozilla/5.0 (compatible; SourceMonitor/<version>)` with browser-like headers (Accept-Language, DNT, Referer). Prevents bot-blocking by feed servers.
+- Default `max_in_flight_per_source` changed from `25` to `nil` (unlimited). If you relied on the previous default for per-source rate limiting, set it explicitly.
+- Successful manual health checks on degraded sources now trigger a feed fetch for faster recovery.
+- Automatic source favicons via Active Storage with multi-strategy discovery (direct `/favicon.ico`, HTML `<link>` parsing, Google Favicon API fallback)
+- New configuration section: `config.favicons` with `enabled`, `fetch_timeout`, `max_download_size`, `retry_cooldown_days`, and `allowed_content_types` settings
+- Colored initials placeholder shown when no favicon is available or Active Storage is not installed
+- OPML imports trigger favicon fetches for each imported source with a `website_url`
+- Toast notifications capped at 3 visible with "+N more" badge, click-to-expand, and "Clear all" button
+- Error-level toasts auto-dismiss after 10 seconds (vs 5 seconds for info/success)
+
+**Action items:**
+1. Re-run `bin/rails source_monitor:upgrade` to get updated initializer template
+2. If you explicitly set `config.http.user_agent`, your value is preserved. Otherwise the new browser-like default applies automatically.
+3. If you need per-source scrape rate limiting, add `config.scraping.max_in_flight_per_source = 25` (or your preferred value) to your initializer
+4. If using Active Storage, favicons are enabled by default -- no action needed
+5. If NOT using Active Storage, favicons are silently disabled -- no action needed
+6. Toast stacking is automatic -- no configuration needed
+7. No breaking changes -- all existing configuration remains valid
+
 ## 0.3.x to 0.4.0
 
 **Released:** 2026-02-12

data/.gitignore

@@ -27,5 +27,15 @@
 .vbw-planning/.active-agent
 .vbw-planning/.active-agent-count
 .vbw-planning/.todo-flat-migrated
+.vbw-planning/.agent-worktrees/
+.vbw-planning/.cache/
+.vbw-planning/.context-usage
+.vbw-planning/.contracts/
+.vbw-planning/.events/
+.vbw-planning/.execution-state.json
 /codebase_analysis.md
+/VERIFICATION.md
+/test/dummy/public/assets/
+/test/lib/tmp/
 *.gem
+.vbw-worktrees/

data/AGENTS.md

@@ -83,7 +83,7 @@ Store secrets (API keys, webhook tokens) in `config/credentials/` and never comm
 
 ## Claude Code Skills
 
-SourceMonitor ships 14 engine-specific Claude Code skills (`sm-*` prefix) covering the domain model, configuration DSL, pipeline stages, testing conventions, and more. Skills are distributed with the gem and installed into `.claude/skills/` via rake tasks:
+SourceMonitor ships 15 engine-specific Claude Code skills (`sm-*` prefix) covering the domain model, configuration DSL, pipeline stages, testing conventions, and more. Skills are distributed with the gem and installed into `.claude/skills/` via rake tasks:
 
 ```bash
 bin/rails source_monitor:skills:install        # Consumer skills (host app integration)

data/CHANGELOG.md

@@ -15,6 +15,62 @@ All notable changes to this project are documented below. The format follows [Ke
 
 - No unreleased changes yet.
 
+## [0.8.0] - 2026-02-21
+
+### Added
+
+- **Automatic source favicons.** Sources now display favicons next to their names in list and detail views. Favicons are fetched automatically via background job on source creation and successful feed fetches using a multi-strategy cascade: `/favicon.ico` direct fetch, HTML `<link>` tag parsing (preferring largest available), and Google Favicon API fallback. Requires Active Storage in the host app.
+  - New configuration section: `config.favicons` with `enabled` (default: `true`), `fetch_timeout` (5s), `max_download_size` (1MB), `retry_cooldown_days` (7), and `allowed_content_types` settings.
+  - Colored initials placeholder shown when no favicon is available (consistent HSL color derived from source name).
+  - Graceful degradation: host apps without Active Storage see placeholders only, no errors.
+  - OPML imports also trigger favicon fetches for each imported source with a `website_url`.
+  - Manual "Fetch Favicon" button on source detail pages; favicon fetch also triggered on 304 Not Modified responses when missing.
+  - Redirect-following in favicon discoverer for domains that redirect (e.g., `reddit.com` -> `www.reddit.com`).
+- **Toast notification stacking.** Bulk operations no longer flood the screen with overlapping toasts. At most 3 toasts are visible at a time; overflow is shown as a "+N more" badge that expands the full stack on click. "Clear all" button dismisses every toast at once.
+  - Error-level toasts persist for 10 seconds (vs 5 seconds for info/success).
+  - Hidden toasts promote into visible slots as earlier toasts auto-dismiss.
+  - Container controller tracks DOM changes via MutationObserver and properly cleans up event listeners on disconnect.
+
+### Changed
+
+- **Browser-like default User-Agent.** Default HTTP User-Agent changed from `SourceMonitor/<version>` to `Mozilla/5.0 (compatible; SourceMonitor/<version>)` with full browser-like headers (Accept, Accept-Language, DNT, Referer from source `website_url`). This prevents bot-blocking by feed servers.
+- **Smarter scrape rate limiting.** Default `max_in_flight_per_source` changed from `25` to `nil` (unlimited). The previous default unnecessarily throttled scraping for sources with many items. Set an explicit value in your initializer if you need per-source caps.
+- **Health check triggers status re-evaluation.** A successful manual health check on a degraded (declining/critical/warning) source now triggers a feed fetch, allowing the health monitor to transition the source back to "improving" status instead of requiring the source to recover on its own schedule.
+
+### Fixed
+
+- Favicon discoverer properly follows HTTP redirects (e.g., `reddit.com` -> `www.reddit.com`).
+- Favicon fetch uses `rails_blob_path` for correct routing within the engine context.
+- Favicon display prefers PNG format (via Google Favicon API) over raw ICO for better browser compatibility.
+- Gemspec excludes `.vbw-planning/` from gem package to reduce gem size.
+
+### Testing
+
+- 1,125 tests, 0 failures.
+- RuboCop: 0 offenses.
+- Brakeman: 0 warnings.
+
+## [0.7.1] - 2026-02-18
+
+### Changed
+
+- **Test suite 60% faster (118s → 46s).** Disabled Faraday retry middleware in tests — WebMock-stubbed timeout errors triggered 4 retries with exponential backoff (7.5s of real sleep per test), consuming 73% of total runtime across 11 FeedFetcher tests.
+- Split monolithic FeedFetcherTest (71 tests, 84.8s) into 6 concern-based test classes for better parallelization and maintainability.
+- Switched default test parallelism from fork-based to thread-based, eliminating PG segfault on single-file runs.
+- Reduced test log IO by setting test log level to `:warn` (was `:debug`, generating 95MB of output).
+- Adopted `setup_once`/`before_all` in 5 DB-heavy analytics/dashboard test files.
+- Added `test:fast` rake task to exclude integration and system tests during development.
+
+### Fixed
+
+- Suppressed spurious TestProf "before_all is not implemented for threads" warning by loading TestProf after `parallelize` call.
+
+### Testing
+
+- 1,033 tests, 3,302 assertions, 0 failures.
+- RuboCop: 0 offenses.
+- Brakeman: 0 warnings.
+
 ## [0.7.0] - 2026-02-18
 
 ### Fixed

data/CLAUDE.md

@@ -4,17 +4,17 @@
 
 ## Active Context
 
-**Milestone:** (none active)
-**Last shipped:** upgrade-assurance (2026-02-13) -- 3 phases, 14 tasks, 12 commits
-**Previous:** generator-enhancements (2026-02-12) -- v0.4.0
-**Next action:** /vbw:vibe to start a new milestone
+**Milestone:** polish-and-reliability
+**Phase:** 1 -- Backend Fixes (pending planning)
+**Last shipped:** aia-ssl-fix (2026-02-20) -- 2 phases, 7 plans, 8 commits
+**Previous:** upgrade-assurance (2026-02-13), generator-enhancements (2026-02-12)
 
 ## Key Decisions
 
 - Keep PostgreSQL-only for now
 - Keep host-app auth model
 - Ruby autoload for lib/ modules (not Zeitwerk)
-- PG parallel fork segfault when running single test files; use PARALLEL_WORKERS=1 or full suite
+- PG parallel fork segfault resolved: switched to thread-based parallelism in aia-ssl-fix milestone
 
 ## Installed Skills
 
@@ -100,6 +100,12 @@ Run /vbw:help for all commands.
 - No N+1 queries (use `includes`/`preload`).
 - No hardcoded credentials (use Rails credentials or ENV).
 
+## QA and UAT Rules
+
+- **Browser-first verification:** During VBW QA (`/vbw:qa`) and UAT (`/vbw:verify`), ALWAYS start by using `agent-browser` to test UI scenarios yourself before presenting checkpoints to the user. Navigate to the dummy app (port 3002), take snapshots/screenshots, and verify visual and functional behavior with agents first.
+- **Automate what you can:** Any test that can be verified programmatically (config defaults, job enqueue behavior, controller responses) should be automated -- only present truly visual/interactive tests to the user.
+- **Dummy app port:** The SourceMonitor dummy app runs on port 3002 (`cd test/dummy && bin/rails server -p 3002`).
+
 ## Security Rules
 
 ### Protected Files (NEVER read or output)

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    source_monitor (0.7.0)
+    source_monitor (0.8.0)
       cssbundling-rails (~> 1.4)
       faraday (~> 2.9)
       faraday-follow_redirects (~> 0.4)

data/README.md

@@ -9,8 +9,8 @@ SourceMonitor is a production-ready Rails 8 mountable engine for ingesting, norm
 In your host Rails app:
 
 ```bash
-bundle add source_monitor --version "~> 0.3.1"
-# or add `gem "source_monitor", "~> 0.3.1"` manually, then run:
+bundle add source_monitor --version "~> 0.7.1"
+# or add `gem "source_monitor", "~> 0.7.1"` manually, then run:
 bundle install
 ```
 
@@ -19,7 +19,9 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 ## Highlights
 - Full-featured source and item administration backed by Turbo Streams and Tailwind UI components
 - Adaptive fetch pipeline (Feedjira + Faraday) with conditional GETs, retention pruning, and scrape orchestration
+- Automatic source favicons via Active Storage with multi-strategy discovery and graceful fallback
 - Realtime dashboard metrics, batching/caching query layer, and Mission Control integration hooks
+- Smart toast notification stacking (max 3 visible, "+N more" overflow badge, click-to-expand)
 - Extensible scraper adapters (Readability included) with per-source settings and structured result metadata
 - Declarative configuration DSL covering queues, HTTP, retention, events, model extensions, authentication, and realtime transports
 - First-class observability through ActiveSupport notifications and `SourceMonitor::Metrics` counters/gauges
@@ -41,7 +43,7 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 Before running any SourceMonitor commands inside your host app, add the gem and install dependencies:
 
 ```bash
-bundle add source_monitor --version "~> 0.3.1"
+bundle add source_monitor --version "~> 0.7.1"
 # or edit your Gemfile, then run
 bundle install
 ```
@@ -113,7 +115,7 @@ See [docs/configuration.md](docs/configuration.md) for exhaustive coverage and e
 
 ## Claude Code Skills
 
-SourceMonitor ships 14 engine-specific Claude Code skills (`sm-*` prefix) that give AI agents deep context about the engine's domain model, configuration DSL, pipeline stages, and testing conventions. Skills are bundled with the gem and installed into your host app's `.claude/skills/` directory.
+SourceMonitor ships 15 engine-specific Claude Code skills (`sm-*` prefix) that give AI agents deep context about the engine's domain model, configuration DSL, pipeline stages, and testing conventions. Skills are bundled with the gem and installed into your host app's `.claude/skills/` directory.
 
 ```bash
 bin/rails source_monitor:skills:install        # Consumer skills (host app integration)

data/VERSION

@@ -1 +1 @@
-0.7.0
+0.8.0

data/app/assets/builds/source_monitor/application.css

@@ -651,6 +651,14 @@ video {
   right: 0px;
 }
 
+.fm-admin .-bottom-1 {
+  bottom: -0.25rem;
+}
+
+.fm-admin .-right-1 {
+  right: -0.25rem;
+}
+
 .fm-admin .left-4 {
   left: 1rem;
 }
@@ -957,6 +965,10 @@ video {
   align-items: flex-start;
 }
 
+.fm-admin .items-end {
+  align-items: flex-end;
+}
+
 .fm-admin .items-center {
   align-items: center;
 }
@@ -977,6 +989,10 @@ video {
   gap: 0.25rem;
 }
 
+.fm-admin .gap-1\.5 {
+  gap: 0.375rem;
+}
+
 .fm-admin .gap-2 {
   gap: 0.5rem;
 }
@@ -1348,6 +1364,11 @@ video {
   background-color: rgb(248 250 252 / var(--tw-bg-opacity, 1));
 }
 
+.fm-admin .bg-slate-700 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(51 65 85 / var(--tw-bg-opacity, 1));
+}
+
 .fm-admin .bg-slate-800 {
   --tw-bg-opacity: 1;
   background-color: rgb(30 41 59 / var(--tw-bg-opacity, 1));
@@ -1367,6 +1388,15 @@ video {
   background-color: rgb(255 255 255 / var(--tw-bg-opacity, 1));
 }
 
+.fm-admin .object-contain {
+  -o-object-fit: contain;
+     object-fit: contain;
+}
+
+.fm-admin .p-0\.5 {
+  padding: 0.125rem;
+}
+
 .fm-admin .p-3 {
   padding: 0.75rem;
 }
@@ -1726,6 +1756,10 @@ video {
   color: rgb(255 255 255 / var(--tw-text-opacity, 1));
 }
 
+.fm-admin .underline {
+  text-decoration-line: underline;
+}
+
 .fm-admin .opacity-0 {
   opacity: 0;
 }
@@ -1848,6 +1882,11 @@ video {
   background-color: rgb(248 250 252 / var(--tw-bg-opacity, 1));
 }
 
+.fm-admin .hover\:bg-slate-600:hover {
+  --tw-bg-opacity: 1;
+  background-color: rgb(71 85 105 / var(--tw-bg-opacity, 1));
+}
+
 .fm-admin .hover\:bg-slate-700:hover {
   --tw-bg-opacity: 1;
   background-color: rgb(51 65 85 / var(--tw-bg-opacity, 1));
@@ -1962,6 +2001,10 @@ video {
   background-color: rgb(241 245 249 / var(--tw-bg-opacity, 1));
 }
 
+.fm-admin :is(.group:hover .group-hover\:inline-flex) {
+  display: inline-flex;
+}
+
 .fm-admin :is(.peer:checked ~ .peer-checked\:border-blue-500) {
   --tw-border-opacity: 1;
   border-color: rgb(59 130 246 / var(--tw-border-opacity, 1));