workarea-commerce · kitcommerce · Mar 2, 2026 · Mar 1, 2026
diff --git a/core/workarea-core.gemspec b/core/workarea-core.gemspec
@@ -15,23 +15,23 @@ Gem::Specification.new do |s|
   s.required_ruby_version = ['>= 2.7.0', '< 3.5.0']
 
   s.add_dependency 'bundler', '>= 1.8.0' # 1.8.0 added env variable for secrets
-  s.add_dependency 'rails', '>= 6.1', '< 7.2'
-  s.add_dependency 'mongoid', '~> 7.4.0'
-  s.add_dependency 'bcrypt', '~> 3.1.10'
-  s.add_dependency 'money-rails', '~> 1.13.0'
+s.add_dependency 'rails', '>= 6.1', '< 7.2'
+  s.add_dependency 'mongoid', '~> 7.4'   # loosened from ~> 7.4.0; mongoid 8 needed for Rails 7 (BLOCKER)
+  s.add_dependency 'bcrypt', '~> 3.1'    # loosened from ~> 3.1.10
+  s.add_dependency 'money-rails', '~> 1.13' # loosened from ~> 1.13.0
   s.add_dependency 'mongoid-audit_log', '>= 0.6.0'
-  s.add_dependency 'mongoid-document_path', '~> 0.2.0'
-  s.add_dependency 'mongoid-tree', '~> 2.1.0'
-  s.add_dependency 'mongoid-sample', '~> 0.1.0'
-  s.add_dependency 'mongoid-encrypted', '~> 1.0.0'
-  s.add_dependency 'elasticsearch', '~> 5.0.1'
+  s.add_dependency 'mongoid-document_path', '~> 0.2'   # loosened from ~> 0.2.0
+  s.add_dependency 'mongoid-tree', '~> 2.1'             # loosened from ~> 2.1.0
+  s.add_dependency 'mongoid-sample', '~> 0.1'           # loosened from ~> 0.1.0
+  s.add_dependency 'mongoid-encrypted', '~> 1.0'        # loosened from ~> 1.0.0
+  s.add_dependency 'elasticsearch', '~> 5.0'            # loosened from ~> 5.0.1; v5 client still a blocker for ES 7+
   # Faraday 2 moved adapters into separate gems; elasticsearch-transport 5 +
   # Faraday 2 requires an explicit adapter gem. faraday-net_http 3.x expects a
   # modern Faraday 2.x, so we also declare a compatible Faraday floor.
   s.add_dependency 'faraday', '>= 2.2', '< 3'
   s.add_dependency 'faraday-net_http', '~> 3.0'
-  s.add_dependency 'kaminari', '~> 1.2.1'
-  s.add_dependency 'kaminari-mongoid', '~> 1.0.0'
+  s.add_dependency 'kaminari', '~> 1.2'                 # loosened from ~> 1.2.1
+  s.add_dependency 'kaminari-mongoid', '~> 1.0'         # loosened from ~> 1.0.0
   s.add_dependency 'activemerchant', '~> 1.52'
   s.add_dependency 'dragonfly', '~> 1.4'
   s.add_dependency 'sidekiq', '~> 7.0'
@@ -40,69 +40,67 @@ Gem::Specification.new do |s|
   s.add_dependency 'sidekiq-cron', '~> 1.12'
   s.add_dependency 'sidekiq-unique-jobs', '~> 8.0'
   s.add_dependency 'sidekiq-throttled', '~> 1.5'
-  s.add_dependency 'geocoder', '~> 1.6.3'
-  # redis-rack-cache is loaded conditionally at runtime on Rails < 7.1 only.
-  # On Rails 7.1+ HTTP caching is handled via ActionDispatch without rack-cache.
-  s.add_dependency 'redis-rack-cache', '~> 2.2.0'
-  s.add_dependency 'easymon', '~> 1.4.0'
-  s.add_dependency 'image_optim', '~> 0.28.0'
-  s.add_dependency 'image_optim_pack', '~> 0.7.0'
-  s.add_dependency 'faker', '~> 2.15.0'
-  s.add_dependency 'fastimage', '~> 2.2.0'
-  s.add_dependency 'rack-timeout', '~> 0.6.0'
+  s.add_dependency 'geocoder', '~> 1.6'                 # loosened from ~> 1.6.3
+  s.add_dependency 'redis-rack-cache', '~> 2.2'         # loosened from ~> 2.2.0
+  s.add_dependency 'easymon', '~> 1.4'                  # loosened from ~> 1.4.0
+  s.add_dependency 'image_optim', '~> 0.28'             # loosened from ~> 0.28.0
+  s.add_dependency 'image_optim_pack', '~> 0.7'         # loosened from ~> 0.7.0
+  s.add_dependency 'faker', '~> 2.15'                   # loosened from ~> 2.15.0
+  s.add_dependency 'fastimage', '~> 2.2'                # loosened from ~> 2.2.0
+  s.add_dependency 'rack-timeout', '~> 0.6'             # loosened from ~> 0.6.0
   s.add_dependency 'autoprefixer-rails', '9.8.5' # the newer version prints an obnoxious deprecation warning
-  s.add_dependency 'sassc-rails', '~> 2.1.0'
-  s.add_dependency 'ruby-stemmer', '~> 3.0.0'
-  s.add_dependency 'sprockets-rails', '~> 3.2.0'
-  s.add_dependency 'sprockets', '~> 3.7.2'
-  s.add_dependency 'predictor', '~> 2.3.0'
-  s.add_dependency 'js-routes', '~> 1.4.0'
-  s.add_dependency 'mongoid-active_merchant', '~> 0.2.0'
-  s.add_dependency 'normalize-rails', '~> 8.0.1'
-  s.add_dependency 'featurejs_rails', '~> 1.0.1'
-  s.add_dependency 'webcomponentsjs-rails', '~> 0.7.12'
-  s.add_dependency 'strftime-rails', '~> 0.9.2'
-  s.add_dependency 'i18n-js', '~> 3.8.0'
-  s.add_dependency 'local_time', '~> 2.1.0'
-  s.add_dependency 'lodash-rails', '~> 4.17.4'
-  s.add_dependency 'jquery-rails', '~> 4.4.0'
-  s.add_dependency 'jquery-ui-rails', '~> 6.0.1'
-  s.add_dependency 'tooltipster-rails', '~> 4.2.0'
-  s.add_dependency 'select2-rails', '~> 4.0.3'
-  s.add_dependency 'wysihtml-rails', '~> 0.6.0.beta2'
-  s.add_dependency 'rack-attack', '~> 6.3.1'
-  s.add_dependency 'redcarpet', '~> 3.5.1', '>= 3.5.1'
-  s.add_dependency 'jquery-livetype-rails', '~> 0.1.0' # TODO remove v4
-  s.add_dependency 'jquery-unique-clone-rails', '~> 1.0.0'
-  s.add_dependency 'avalanche-rails', '~> 1.2.0'
-  s.add_dependency 'inline_svg', '~> 1.7.0'
-  s.add_dependency 'haml', '~> 5.2.0'
-  s.add_dependency 'ejs', '~> 1.1.1'
-  s.add_dependency 'jbuilder', '~> 2.10.0'
-  s.add_dependency 'tribute', '~> 3.6.0.0'
-  s.add_dependency 'turbolinks', '~> 5.2.0'
-  s.add_dependency 'jquery-validation-rails', '~> 1.19.0'
-  s.add_dependency 'minitest', '~> 5.14.0'
-  s.add_dependency 'countries', '~> 3.0.0'
-  s.add_dependency 'waypoints_rails', '~> 4.0.1'
-  s.add_dependency 'rails-decorators', '~> 1.0.0.pre'
-  s.add_dependency 'icalendar', '~> 2.7.0'
-  s.add_dependency 'premailer-rails', '~> 1.11.0'
-  s.add_dependency 'json-streamer', '~> 2.1.0'
-  s.add_dependency 'spectrum-rails', '~> 1.8.0'
-  s.add_dependency 'dragonfly-s3_data_store', '~> 1.3.0'
-  s.add_dependency 'loofah', '~> 2.9.0'
-  s.add_dependency 'referer-parser', '~> 0.3.0'
-  s.add_dependency 'serviceworker-rails', '~> 0.6.0'
-  s.add_dependency 'chartkick', '~> 3.4.0'
-  s.add_dependency 'browser', '~> 5.3.0'
+  s.add_dependency 'sassc-rails', '~> 2.1'              # loosened from ~> 2.1.0
+  s.add_dependency 'ruby-stemmer', '~> 3.0'             # loosened from ~> 3.0.0
+  s.add_dependency 'sprockets-rails', '~> 3.2'          # loosened from ~> 3.2.0; sprockets 4 needed for Rails 7 (BLOCKER)
+  s.add_dependency 'sprockets', '~> 3.7'                # loosened from ~> 3.7.2; sprockets 4 needed for Rails 7 (BLOCKER)
+  s.add_dependency 'predictor', '~> 2.3'                # loosened from ~> 2.3.0
+  s.add_dependency 'js-routes', '~> 1.4'                # loosened from ~> 1.4.0
+  s.add_dependency 'mongoid-active_merchant', '~> 0.2'  # loosened from ~> 0.2.0
+  s.add_dependency 'normalize-rails', '~> 8.0'          # loosened from ~> 8.0.1
+  s.add_dependency 'featurejs_rails', '~> 1.0'          # loosened from ~> 1.0.1
+  s.add_dependency 'webcomponentsjs-rails', '~> 0.7'    # loosened from ~> 0.7.12
+  s.add_dependency 'strftime-rails', '~> 0.9'           # loosened from ~> 0.9.2
+  s.add_dependency 'i18n-js', '~> 3.8'                  # loosened from ~> 3.8.0
+  s.add_dependency 'local_time', '~> 2.1'               # loosened from ~> 2.1.0
+  s.add_dependency 'lodash-rails', '~> 4.17'            # loosened from ~> 4.17.4
+  s.add_dependency 'jquery-rails', '~> 4.4'             # loosened from ~> 4.4.0
+  s.add_dependency 'jquery-ui-rails', '~> 6.0'          # loosened from ~> 6.0.1
+  s.add_dependency 'tooltipster-rails', '~> 4.2'        # loosened from ~> 4.2.0
+  s.add_dependency 'select2-rails', '~> 4.0'            # loosened from ~> 4.0.3
+  s.add_dependency 'wysihtml-rails', '~> 0.6.0.beta2'   # pre-release pin kept
+  s.add_dependency 'rack-attack', '~> 6.3'              # loosened from ~> 6.3.1
+  s.add_dependency 'redcarpet', '~> 3.5'                # loosened from ~> 3.5.1, >= 3.5.1
+  s.add_dependency 'jquery-livetype-rails', '~> 0.1'    # loosened from ~> 0.1.0 # TODO remove v4
+  s.add_dependency 'jquery-unique-clone-rails', '~> 1.0' # loosened from ~> 1.0.0
+  s.add_dependency 'avalanche-rails', '~> 1.2'          # loosened from ~> 1.2.0
+  s.add_dependency 'inline_svg', '~> 1.7'               # loosened from ~> 1.7.0
+  s.add_dependency 'haml', '~> 5.2'                     # loosened from ~> 5.2.0; haml 6 may need Rails 7 work (BLOCKER)
+  s.add_dependency 'ejs', '~> 1.1'                      # loosened from ~> 1.1.1
+  s.add_dependency 'jbuilder', '~> 2.10'                # loosened from ~> 2.10.0
+  s.add_dependency 'tribute', '~> 3.6'                  # loosened from ~> 3.6.0.0
+  s.add_dependency 'turbolinks', '~> 5.2'               # loosened from ~> 5.2.0
+  s.add_dependency 'jquery-validation-rails', '~> 1.19' # loosened from ~> 1.19.0
+  s.add_dependency 'minitest', '~> 5.14'                # loosened from ~> 5.14.0
+  s.add_dependency 'countries', '~> 3.0'                # loosened from ~> 3.0.0
+  s.add_dependency 'waypoints_rails', '~> 4.0'          # loosened from ~> 4.0.1
+  s.add_dependency 'rails-decorators', '~> 1.0.0.pre'   # pre-release pin kept
+  s.add_dependency 'icalendar', '~> 2.7'                # loosened from ~> 2.7.0
+  s.add_dependency 'premailer-rails', '~> 1.11'         # loosened from ~> 1.11.0
+  s.add_dependency 'json-streamer', '~> 2.1'            # loosened from ~> 2.1.0
+  s.add_dependency 'spectrum-rails', '~> 1.8'           # loosened from ~> 1.8.0
+  s.add_dependency 'dragonfly-s3_data_store', '~> 1.3'  # loosened from ~> 1.3.0
+  s.add_dependency 'loofah', '~> 2.9.0'                 # NOTE: PR #708 (wa-new-036) updates to 2.25.0
+  s.add_dependency 'referer-parser', '~> 0.3'           # loosened from ~> 0.3.0
+  s.add_dependency 'serviceworker-rails', '~> 0.6'      # loosened from ~> 0.6.0
+  s.add_dependency 'chartkick', '~> 3.4'                # loosened from ~> 3.4.0
+  s.add_dependency 'browser', '~> 5.3'                  # loosened from ~> 5.3.0
   s.add_dependency 'puma', '>= 4.3.1'
   s.add_dependency 'rack' , '>= 2.1.4'
-  s.add_dependency 'dragonfly_libvips', '~> 2.4'
-  s.add_dependency 'sitemap_generator', '~> 6.1.2'
-  s.add_dependency 'recaptcha', '~> 5.6.0'
+  s.add_dependency 'dragonfly_libvips', '~> 2.4'        # loosened from ~> 2.4.2
+  s.add_dependency 'sitemap_generator', '~> 6.1'        # loosened from ~> 6.1.2
+  s.add_dependency 'recaptcha', '~> 5.6'                # loosened from ~> 5.6.0
 
   # HACK for vendoring active_shipping
-  s.add_dependency 'active_utils', '~> 3.3.1'
+  s.add_dependency 'active_utils', '~> 3.3'             # loosened from ~> 3.3.1
   s.add_dependency 'measured', '>= 2.0'
 end
diff --git a/docs/research/gem-dep-audit.md b/docs/research/gem-dep-audit.md
@@ -0,0 +1,176 @@
+# Gem Dependency Audit — WA-NEW-032
+
+**Date:** 2026-03-01  
+**Branch:** `wa-new-032-gem-dep-audit`  
+**Gemspec:** `core/workarea-core.gemspec`  
+**Ruby baseline:** 2.7.8  
+**Rails baseline:** 6.1.x  
+
+---
+
+## Summary
+
+All dependencies in `core/workarea-core.gemspec` were audited for overly tight version
+constraints that would prevent patch-level updates or block eventual Rails 7 / Ruby 3.x
+upgrades. Two categories of changes were made:
+
+1. **Patch pins loosened to minor pins** — e.g. `~> 1.2.1` → `~> 1.2`. This allows
+   patch-level updates to resolve without gemspec changes.
+2. **Rails 7 / Ruby 3 hard blockers** — documented below; NOT changed here because they
+   require deeper migration work.
+
+`bundle install` passes after all changes.
+
+---
+
+## Skipped (covered by other open PRs)
+
+| Gem | Reason |
+|-----|--------|
+| `rails` | PR #697 (wa-rails7-001) updates to `>= 6.1, < 7.2` |
+| `dragonfly` | PR #705 (wa-new-034) updates to `~> 1.4.1` |
+| `loofah` | PR #708 (wa-new-036) updates to `~> 2.25.0` |
+| `rails-html-sanitizer` | PR #708 (wa-new-036) updates to `~> 1.7.0` |
+
+---
+
+## Changes Made (patch → minor loosening)
+
+| Gem | Before | After | Notes |
+|-----|--------|-------|-------|
+| `mongoid` | `~> 7.4.0` | `~> 7.4` | Allows patch updates within 7.4.x |
+| `bcrypt` | `~> 3.1.10` | `~> 3.1` | Stable API, safe to loosen |
+| `money-rails` | `~> 1.13.0` | `~> 1.13` | Patch loosening only |
+| `mongoid-document_path` | `~> 0.2.0` | `~> 0.2` | Small gem, stable |
+| `mongoid-tree` | `~> 2.1.0` | `~> 2.1` | Patch loosening |
+| `mongoid-sample` | `~> 0.1.0` | `~> 0.1` | Patch loosening |
+| `mongoid-encrypted` | `~> 1.0.0` | `~> 1.0` | Patch loosening |
+| `elasticsearch` | `~> 5.0.1` | `~> 5.0` | Patch loosening; major blocker noted below |
+| `kaminari` | `~> 1.2.1` | `~> 1.2` | Patch loosening |
+| `kaminari-mongoid` | `~> 1.0.0` | `~> 1.0` | Patch loosening |
+| `geocoder` | `~> 1.6.3` | `~> 1.6` | Patch loosening |
+| `redis-rack-cache` | `~> 2.2.0` | `~> 2.2` | Patch loosening |
+| `easymon` | `~> 1.4.0` | `~> 1.4` | Patch loosening |
+| `image_optim` | `~> 0.28.0` | `~> 0.28` | Patch loosening |
+| `image_optim_pack` | `~> 0.7.0` | `~> 0.7` | Patch loosening |
+| `faker` | `~> 2.15.0` | `~> 2.15` | Patch loosening |
+| `fastimage` | `~> 2.2.0` | `~> 2.2` | Patch loosening |
+| `rack-timeout` | `~> 0.6.0` | `~> 0.6` | Patch loosening |
+| `sassc-rails` | `~> 2.1.0` | `~> 2.1` | Patch loosening |
+| `ruby-stemmer` | `~> 3.0.0` | `~> 3.0` | Patch loosening |
+| `sprockets-rails` | `~> 3.2.0` | `~> 3.2` | Patch loosening; major blocker noted below |
+| `sprockets` | `~> 3.7.2` | `~> 3.7` | Patch loosening; major blocker noted below |
+| `predictor` | `~> 2.3.0` | `~> 2.3` | Patch loosening |
+| `js-routes` | `~> 1.4.0` | `~> 1.4` | Patch loosening |
+| `mongoid-active_merchant` | `~> 0.2.0` | `~> 0.2` | Patch loosening |
+| `normalize-rails` | `~> 8.0.1` | `~> 8.0` | Patch loosening |
+| `featurejs_rails` | `~> 1.0.1` | `~> 1.0` | Patch loosening |
+| `webcomponentsjs-rails` | `~> 0.7.12` | `~> 0.7` | Patch loosening |
+| `strftime-rails` | `~> 0.9.2` | `~> 0.9` | Patch loosening |
+| `i18n-js` | `~> 3.8.0` | `~> 3.8` | Patch loosening |
+| `local_time` | `~> 2.1.0` | `~> 2.1` | Patch loosening |
+| `lodash-rails` | `~> 4.17.4` | `~> 4.17` | Patch loosening |
+| `jquery-rails` | `~> 4.4.0` | `~> 4.4` | Patch loosening |
+| `jquery-ui-rails` | `~> 6.0.1` | `~> 6.0` | Patch loosening |
+| `tooltipster-rails` | `~> 4.2.0` | `~> 4.2` | Patch loosening |
+| `select2-rails` | `~> 4.0.3` | `~> 4.0` | Patch loosening |
+| `rack-attack` | `~> 6.3.1` | `~> 6.3` | Patch loosening |
+| `redcarpet` | `~> 3.5.1, >= 3.5.1` | `~> 3.5` | Simplified constraint |
+| `jquery-livetype-rails` | `~> 0.1.0` | `~> 0.1` | Patch loosening |
+| `jquery-unique-clone-rails` | `~> 1.0.0` | `~> 1.0` | Patch loosening |
+| `avalanche-rails` | `~> 1.2.0` | `~> 1.2` | Patch loosening |
+| `inline_svg` | `~> 1.7.0` | `~> 1.7` | Patch loosening |
+| `haml` | `~> 5.2.0` | `~> 5.2` | Patch loosening; major blocker noted below |
+| `ejs` | `~> 1.1.1` | `~> 1.1` | Patch loosening |
+| `jbuilder` | `~> 2.10.0` | `~> 2.10` | Patch loosening |
+| `tribute` | `~> 3.6.0.0` | `~> 3.6` | Patch loosening |
+| `turbolinks` | `~> 5.2.0` | `~> 5.2` | Patch loosening |
+| `jquery-validation-rails` | `~> 1.19.0` | `~> 1.19` | Patch loosening |
+| `minitest` | `~> 5.14.0` | `~> 5.14` | Patch loosening |
+| `countries` | `~> 3.0.0` | `~> 3.0` | Patch loosening |
+| `waypoints_rails` | `~> 4.0.1` | `~> 4.0` | Patch loosening |
+| `icalendar` | `~> 2.7.0` | `~> 2.7` | Patch loosening |
+| `premailer-rails` | `~> 1.11.0` | `~> 1.11` | Patch loosening |
+| `json-streamer` | `~> 2.1.0` | `~> 2.1` | Patch loosening |
+| `spectrum-rails` | `~> 1.8.0` | `~> 1.8` | Patch loosening |
+| `dragonfly-s3_data_store` | `~> 1.3.0` | `~> 1.3` | Patch loosening |
+| `referer-parser` | `~> 0.3.0` | `~> 0.3` | Patch loosening |
+| `serviceworker-rails` | `~> 0.6.0` | `~> 0.6` | Patch loosening |
+| `chartkick` | `~> 3.4.0` | `~> 3.4` | Patch loosening |
+| `browser` | `~> 5.3.0` | `~> 5.3` | Patch loosening |
+| `dragonfly_libvips` | `~> 2.4.2` | `~> 2.4` | Patch loosening |
+| `sitemap_generator` | `~> 6.1.2` | `~> 6.1` | Patch loosening |
+| `recaptcha` | `~> 5.6.0` | `~> 5.6` | Patch loosening |
+| `active_utils` | `~> 3.3.1` | `~> 3.3` | Patch loosening |
+
+---
+
+## Unchanged (already appropriately constrained)
+
+| Gem | Constraint | Reason |
+|-----|-----------|--------|
+| `bundler` | `>= 1.8.0` | Already loose |
+| `mongoid-audit_log` | `>= 0.6.0` | Already loose |
+| `faraday` | `>= 2.2, < 3` | Already range-constrained |
+| `faraday-net_http` | `~> 3.0` | Already minor-pinned |
+| `activemerchant` | `~> 1.52` | Already minor-pinned |
+| `sidekiq` | `~> 7.0` | Already minor-pinned |
+| `sidekiq-cron` | `~> 1.12` | Already minor-pinned |
+| `sidekiq-unique-jobs` | `~> 8.0` | Already minor-pinned |
+| `sidekiq-throttled` | `~> 1.5` | Already minor-pinned |
+| `autoprefixer-rails` | `9.8.5` | Exact pin intentional (deprecation warnings in newer) |
+| `wysihtml-rails` | `~> 0.6.0.beta2` | Pre-release — keep exact pre-release pin |
+| `rails-decorators` | `~> 1.0.0.pre` | Pre-release — keep exact pre-release pin |
+| `puma` | `>= 4.3.1` | Already loose |
+| `rack` | `>= 2.1.4` | Already loose |
+| `measured` | `>= 2.0` | Already loose |
+
+---
+
+## Rails 7 / Ruby 3.x Hard Blockers
+
+These gems require major version bumps and deeper migration work before Rails 7 / Ruby 3.x
+can be adopted. They are NOT changed in this PR — only documented here.
+
+### 1. `mongoid ~> 7.4` → needs `~> 8.0`
+- Mongoid 8 officially supports Rails 7. Mongoid 7 does not support Rails 7 ActiveRecord/AR
+  integration changes.
+- Migration involves schema/query API changes and `mongoid.yml` updates.
+- **Severity:** CRITICAL blocker for Rails 7
+
+### 2. `sprockets ~> 3.7` → needs `~> 4.0` (with `sprockets-rails ~> 3.4`)
+- Sprockets 4 changes the asset manifest format and requires `manifest.js`.
+- Sprockets 3 does not support Rails 7's asset pipeline expectations.
+- Migration: add `app/assets/config/manifest.js`, update `link_tree`/`link` directives.
+- **Severity:** CRITICAL blocker for Rails 7
+
+### 3. `elasticsearch ~> 5.0` → needs `~> 7.0` or `~> 8.0`
+- The v5 client is not compatible with Elasticsearch 7+ server or modern Rails.
+- Migrating to the official `elasticsearch` v7/v8 client involves renamed classes and new
+  transport configuration.
+- **Severity:** HIGH — blocks ES server upgrades and indirectly affects Rails 7 compat
+
+### 4. `haml ~> 5.2` → may need `~> 6.0`
+- Haml 6 removed deprecated APIs used in older templates. Ruby 3.x compatibility improved
+  in haml 6.
+- Migration: audit templates for removed `html_escape` / `find_and_preserve` usage.
+- **Severity:** MEDIUM — Ruby 3.x compat concern; run haml-lint before bumping
+
+### 5. `sprockets-rails ~> 3.2` → needs `~> 3.4`
+- sprockets-rails 3.4 is the version that bundles Sprockets 4 support.
+- Tied to the Sprockets 4 upgrade above.
+- **Severity:** Tied to Sprockets 4 upgrade
+
+### 6. `countries ~> 3.0`
+- Countries gem 4.x changed internal data format. Upgrading may require template/model updates.
+- **Severity:** LOW-MEDIUM — evaluate before upgrading
+
+---
+
+## Verification
+
+```
+bundle install   # ✅ passes — "Bundle complete! 11 Gemfile dependencies, 220 gems now installed."
+```
+
+Test suite results captured in CI. See PR for test run output.