verify: audit and align gemspec required_ruby_version constraints (WA-VERIFY-073)

[kitcommerce]

Summary

Audits and aligns required_ruby_version constraints across all Workarea gemspecs.

Findings

Gemspec	Before	After	Status
core/workarea-core.gemspec	>= 2.7.0, < 3.5.0	No change	✅ Already correct
testing/workarea-testing.gemspec	>= 2.3.0	>= 2.7.0, < 3.5.0	✅ Tightened
admin/workarea-admin.gemspec	(missing)	>= 2.7.0, < 3.5.0	✅ Added
storefront/workarea-storefront.gemspec	(missing)	>= 2.7.0, < 3.5.0	✅ Added
workarea.gemspec (meta)	(missing)	>= 2.7.0, < 3.5.0	✅ Added

Constraint >= 2.7.0, < 3.5.0 matches the CI matrix (Ruby 2.7, 3.1, 3.2, 3.3, 3.4).

Full audit notes: notes/gemspec-ruby-version-audit-2026-03-17.md

Client Impact

None for existing installations. Bundler enforces this at gem install time only. Prevents installation on EOL Rubies (< 2.7) that were already unsupported in practice.

Fixes #1045

[kitcommerce]

Wave 1 Review Summary

Branch: issue-1045-gemspec-ruby-version | Reviewer: Kit (automated) | Date: 2026-03-17

---

🏛️ Architecture — PASS

Summary: Constraint alignment across all gemspecs in the monorepo is architecturally sound. The meta gem (workarea.gemspec) correctly declares required_ruby_version — it is the top-level install surface for users and must enforce Ruby compatibility independently of its sub-gem dependencies. Consistent constraints across all five gemspecs (core, admin, storefront, testing, meta) eliminate the class of "sub-gem installs fine, meta-gem silently accepts incompatible Ruby" bugs.

Findings:

• ✅ All five gemspecs now declare the same constraint — architectural consistency achieved
• ✅ Meta gem constraint is not redundant; Bundler evaluates each gem's constraint at install time
• ✅ CI matrix (2.7, 3.1–3.4) is faithfully reflected in the constraint range

---

🧹 Simplicity — PASS_WITH_NOTES

Severity: LOW

Summary: The array format ['>= 2.7.0', '< 3.5.0'] is valid but introduces a minor inconsistency risk. If core/workarea-core.gemspec (unchanged) uses the string form '>= 2.7.0, < 3.5.0', the four new/modified gemspecs use a different syntactic style for the same constraint. Both are functionally equivalent per the Rubygems spec.

Findings:

• ⚠️ Array vs string format: verify core gemspec format for consistency. If core uses string form, consider standardizing all to '>= 2.7.0, < 3.5.0' (one string)
• ✅ Array form is semantically correct and well-supported by Bundler/Rubygems
• ✅ No unnecessary complexity introduced — this is the right minimal change

---

🔒 Security — PASS

Summary: This change is a net security improvement. Dropping the lower bound from Ruby 2.3.0 (EOL March 2019, 7+ years ago, numerous unfixed CVEs) to 2.7.0 prevents accidental deployment on a long-unsupported Ruby. The upper bound < 3.5.0 is appropriate defensive hygiene — untested versions should be gated.

Findings:

• ✅ Ruby 2.3.0 lower bound removal from workarea-testing.gemspec is a security improvement
• ✅ Ruby 2.7 is EOL (March 2023) but far safer than 2.3; acceptable given CI matrix anchor
• ✅ Upper bound prevents silent use on Ruby 3.5+ where behavior is untested
• ✅ No security regression possible — constraint is additive/restrictive only

---

🚂 Rails Conventions — PASS_WITH_NOTES

Severity: LOW

Summary: Gemspec hygiene is good. required_ruby_version placement before add_dependency follows community convention. Minor notes on the notes file.

Findings:

• ✅ required_ruby_version is standard Rails/gem community practice
• ✅ Blank line separator after constraint before add_dependency — clean formatting
• ⚠️ notes/gemspec-ruby-version-audit-2026-03-17.md with a date in the filename is non-standard for committed documentation; conventional alternatives are CHANGELOG.md entries or doc/ subdirectory. Low impact but worth noting for project conventions
• ⚠️ Array format ['>= 2.7.0', '< 3.5.0'] deviates slightly from the single-string form more commonly seen in Rails ecosystem gemspecs (e.g., Rails own gemspecs). Suggest '>= 2.7.0, < 3.5.0' for idiom alignment

---

Wave 1 Verdict: ✅ PASS_WITH_NOTES

All four reviewers pass. Two minor LOW-severity notes (format consistency, notes file convention) — neither blocks merge. Recommend addressing in a follow-up or at author discretion.

Reviewer	Verdict	Severity
Architecture	PASS	—
Simplicity	PASS_WITH_NOTES	LOW
Security	PASS	—
Rails Conventions	PASS_WITH_NOTES	LOW

Wave 1 complete. Proceeding to label update.

[kitcommerce]

Wave 2 Gate Result ✅ PASS

Auto-generated by Kit (OpenClaw review pipeline) · Wave 2 of 4 · 2026-03-17T05:55:48Z

Reviewer	Verdict	Severity
rails-security	PASS	—
database	PASS	—
test-quality	PASS	—

All three Wave 2 reviewers passed. No blocking findings. Proceeding to Wave 3 (performance, accessibility, frontend).

[kitcommerce]

Wave 3 Performance Review

No performance concerns: is evaluated by RubyGems/Bundler at install/resolve time and does not affect application runtime. No new dependencies, loops, queries, I/O, or allocations introduced.

[kitcommerce]

Wave 3 Frontend Review

No JavaScript/TypeScript, Stimulus, or Turbo-related diffs to review here.

[kitcommerce]

Wave 3 Accessibility Review

No UI, copy, or platform-specific accessibility surfaces were changed in this PR (only Ruby gemspec metadata and a notes markdown file), so there are no a11y concerns to address here.

[kitcommerce]

Wave 3 Performance Review

{
  "reviewer": "performance",
  "verdict": "PASS",
  "severity": null,
  "summary": "Changes only adjust gemspec required_ruby_version metadata and add notes; no runtime performance impact.",
  "findings": []
}

No performance concerns: required_ruby_version is evaluated by RubyGems/Bundler at install/resolve time and does not affect application runtime. No new dependencies, loops, queries, I/O, or allocations introduced.

[kitcommerce]

Wave 3 Frontend Review

{
  "reviewer": "frontend",
  "verdict": "PASS",
  "severity": null,
  "summary": "No frontend (JS/TS/Hotwire) changes in this PR; gemspec Ruby version alignment only.",
  "findings": []
}

No JavaScript/TypeScript, Stimulus, or Turbo-related diffs to review here.

[kitcommerce]

Wave 3 Accessibility Review

{
  "reviewer": "accessibility",
  "verdict": "PASS",
  "severity": null,
  "summary": "No accessibility-impacting changes detected; PR only updates gemspec Ruby version constraints and adds internal audit notes.",
  "findings": []
}

No UI, copy, or platform-specific accessibility surfaces were changed in this PR (only Ruby gemspec metadata and a notes markdown file), so there are no a11y concerns to address here.

[kitcommerce]

Documentation review ✅

PR description is clear and includes a helpful before/after table plus client impact. The added audit notes file () is readable, scoped, and provides rationale + recommended constraints.

Minor doc nits (optional):

• Audit notes list CI versions as (2.7, 3.1–3.4) but one bullet says “Allows … (2.7, 3.1, 3.2, 3.3)” and omits 3.4; consider including 3.4 there for consistency.
• The “Follow-up issues recommended” section mentions filing a follow-up issue to update 4 gemspecs, but this PR already performs that work; suggest rewording to reflect that the PR implements the recommended changes, and keep the remaining follow-up as “consider widening upper bound once Ruby 3.5 is tested.”

No blockers from a docs perspective.

[kitcommerce]

✅ All Review Waves Passed

All reviewers returned PASS or PASS_WITH_NOTES. This PR is merge-ready.

• Wave 1 (Foundation): ✅
• Wave 2 (Correctness): ✅
• Wave 3 (Quality): ✅
• Wave 4 (Documentation): ✅ (minor doc nits, non-blocking)

Labeled merge:ready. Awaiting 60-minute hold window before auto-merge.