dchuk · dchuk · Jun 18, 2026 · Jun 18, 2026
diff --git a/.claude/skills/sm-upgrade/reference/version-history.md b/.claude/skills/sm-upgrade/reference/version-history.md
@@ -2,6 +2,20 @@
 
 Version-specific migration notes for each major/minor version transition. Agents should reference this file when guiding users through multi-version upgrades.
 
+## 0.14.0 to 0.15.0
+
+**Key changes:**
+- **Security:** Rails bumped to 8.1.3 (security release), picking up fixes for five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+- **ViewComponent 4.x:** the `view_component` dependency widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, allowing host apps to resolve ViewComponent 4.x (engine lockfile resolves to 4.5.0). Engine components use only stable APIs unaffected by v4.
+- **Solid Queue 1.4.0:** bumped from 1.3.1 with race-condition and supervisor stability fixes; dynamic recurring tasks are opt-in.
+- **Documentation:** engine conventions consolidated into `AGENTS.md`; `CLAUDE.md` now points to it.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. `bin/rails source_monitor:upgrade`
+3. No migrations or breaking config/API changes.
+4. If the host app has ViewComponent 3.x customizations (custom components, previews), test after upgrading and consult ViewComponent v4 migration guides if needed.
+
 ## 0.13.1 to 0.14.0
 
 **Key changes:**

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,20 @@ All notable changes to this project are documented below. The format follows [Ke
 
 - No unreleased changes yet.
 
+## [0.15.0] - 2026-06-18
+
+### Security
+- Bump Rails to 8.1.3 via the 8.1.2.1 security release (#104), picking up fixes for five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+
+### Changed
+- **Allow ViewComponent 4.x** (#96). The `view_component` dependency constraint widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, so host apps can now resolve ViewComponent 4.x (the engine's lockfile moves to 4.5.0). The engine's components use only stable ViewComponent APIs and are unaffected by the v4 upgrade — but a host app on its own ViewComponent 3.x customizations should review the v4 upgrade notes before running `bundle update`.
+- Bump Solid Queue to 1.4.0 (#102) — race-condition and supervisor stability fixes; the new dynamic recurring-tasks feature is opt-in and off by default.
+- Bump nokolexbor to 0.6.4 (#103) and json to 2.19.2 (#99).
+- Development/CI dependency bumps: test-prof 1.6.0 (#101), webmock 3.26.2 (#100), brakeman 8.0.4 (#88), selenium-webdriver 4.41.0 (#78), stackprof 0.2.28 (#71), and the GitHub Actions artifact actions (#87, #86).
+
+### Documentation
+- Consolidate engine conventions into `AGENTS.md` as the canonical, cross-agent reference; `CLAUDE.md` now points to it instead of duplicating content (#134).
+
 ## [0.14.0] - 2026-05-28
 
 ### Security (BREAKING)

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    source_monitor (0.14.0)
+    source_monitor (0.15.0)
       cssbundling-rails (~> 1.4)
       faraday (~> 2.9)
       faraday-follow_redirects (~> 0.4)

diff --git a/README.md b/README.md
@@ -9,8 +9,8 @@ SourceMonitor is a production-ready Rails 8 mountable engine for ingesting, norm
 In your host Rails app:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
-# or add `gem "source_monitor", "~> 0.14.0"` manually, then run:
+bundle add source_monitor --version "~> 0.15.0"
+# or add `gem "source_monitor", "~> 0.15.0"` manually, then run:
 bundle install
 ```
 
@@ -46,7 +46,7 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 Before running any SourceMonitor commands inside your host app, add the gem and install dependencies:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
+bundle add source_monitor --version "~> 0.15.0"
 # or edit your Gemfile, then run
 bundle install
 ```

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.14.0
+0.15.0
diff --git a/docs/setup.md b/docs/setup.md
@@ -7,7 +7,7 @@ This guide consolidates the new guided installer, verification commands, and rol
 | Requirement | Minimum | Notes |
 | --- | --- | --- |
 | Ruby | 4.0.1 | Use rbenv and match the engine's `.ruby-version`. |
-| Rails | 8.1.2 | Run `bin/rails about` inside the host to confirm. |
+| Rails | 8.1.3 | Run `bin/rails about` inside the host to confirm. |
 | PostgreSQL | 14+ | Required for Solid Queue tables and item storage. |
 | Node.js | 18+ | Needed for Tailwind/esbuild assets when the host owns node tooling. |
 | Background jobs | Solid Queue (>= 0.3, < 3.0) | Add `solid_queue` to the host Gemfile if not present. |
@@ -18,8 +18,8 @@ This guide consolidates the new guided installer, verification commands, and rol
 Run these commands inside your host Rails application before invoking the guided workflow:
 
 ```bash
-bundle add source_monitor --version "~> 0.14.0"
-# or add gem "source_monitor", "~> 0.14.0" to Gemfile manually
+bundle add source_monitor --version "~> 0.15.0"
+# or add gem "source_monitor", "~> 0.15.0" to Gemfile manually
 bundle install
 ```
 

diff --git a/docs/upgrade.md b/docs/upgrade.md
@@ -46,6 +46,20 @@ If a removed option raises an error (`SourceMonitor::DeprecatedOptionError`), yo
 
 ## Version-Specific Notes
 
+### Upgrading to 0.15.0
+
+**What changed:**
+- **Security:** Rails bumped to 8.1.3 (security release), fixing five CVEs including XSS in tag/DebugExceptions helpers, an Active Storage path-traversal, and a NumberConverter issue.
+- **ViewComponent 4.x compatibility:** The `view_component` dependency constraint widens from `>= 3.0, < 4.0` to `>= 3.0, < 5.0`, so host apps can now resolve ViewComponent 4.x (the engine's lockfile moves to 4.5.0). The engine's components use only stable ViewComponent APIs unaffected by the v4 upgrade, but host apps with their own ViewComponent 3.x customizations should review the [ViewComponent v4 release notes](https://github.com/ViewComponent/view_component/releases) before running `bundle update`.
+- **Solid Queue 1.4.0:** Bumped from 1.3.1 with race-condition and supervisor stability fixes. The new dynamic recurring-tasks feature is opt-in and off by default.
+- **Documentation:** Engine conventions consolidated into `AGENTS.md` as the canonical cross-agent reference; `CLAUDE.md` now points to it.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. `bin/rails source_monitor:upgrade`
+3. No database migrations and no breaking API or configuration changes.
+4. If your host app has its own ViewComponent 3.x customizations, test after upgrading and consult the ViewComponent v4 migration guide if issues arise.
+
 ### Upgrading to 0.14.0
 
 **What changed:**

diff --git a/lib/source_monitor/version.rb b/lib/source_monitor/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SourceMonitor
-  VERSION = "0.14.0"
+  VERSION = "0.15.0"
 end
diff --git a/test/models/source_monitor/fetch_log_test.rb b/test/models/source_monitor/fetch_log_test.rb
@@ -49,7 +49,9 @@ def build_loggable(overrides = {})
 
       source_logs = FetchLog.where(source: @source)
       assert_equal [ failed, successful, older ], source_logs.recent.to_a
-      assert_equal [ successful, older ], source_logs.successful.to_a
+      # successful/failed are filter-only scopes (no inherent order); chain :recent
+      # for a deterministic comparison rather than relying on DB row order.
+      assert_equal [ successful, older ], source_logs.successful.recent.to_a
       assert_equal [ failed ], source_logs.failed.to_a
     end