vishaltps · vishaltps · May 13, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -20,3 +20,7 @@
 # Claude Code personal workflows (local only)
 .claude/
 CLAUDE.md
+
+# Codex personal workflows (local only)
+.agents/
+AGENTS.md
@@ -1,5 +1,26 @@
 # Changelog
 
+## [2.0.0] - 2026-05-12
+
+### Changed
+
+- **Major architectural refactor**: the dashboard now renders via standard Rails ERB views, helpers, and partials instead of Ruby presenters emitting HTML strings. Configuration, mount point, URLs, HTTP Basic auth, and CSP nonce support are unchanged.
+- CSS and JavaScript are now served as external assets via a new `AssetsController` with content-hashed URLs and `Cache-Control: immutable`. No Sprockets or Propshaft dependency is required, so Rails API-only host applications keep working as in v1.x.
+- Dashboard pages now work under a strict `script-src 'self'; style-src 'self'` Content Security Policy without requiring host-app nonce configuration. Nonce-on-link-tag behavior is preserved for hosts running nonce-only CSPs.
+- Runtime configuration such as auto-refresh interval, auto-refresh enabled state, and theme preference is now passed via `<body data-*>` attributes instead of inline JavaScript interpolation.
+
+### Removed
+
+- `SolidQueueMonitor::HtmlGenerator`, `StylesheetGenerator`, `ChartPresenter`, `BasePresenter`, and all `*Presenter` classes. These were internal and not documented as public API. Users who reached into them via monkey patches will need to migrate to view/helper overrides.
+- `SolidQueueMonitor::BaseController#render_page` now that Rails implicit rendering handles all pages.
+- The brief inline `<script>` that prevented dark-mode first-paint flash has been removed in favor of zero inline scripts. Users with a dark system preference may see a short light flash on the first page load; subsequent loads use the cached localStorage value.
+
+### Migration
+
+For most users, `bundle update solid_queue_monitor` is sufficient. The dashboard looks and behaves identically. Configuration options, routes, authentication, and CSP nonce support are unchanged.
+
+If you customized the UI by monkey-patching a presenter, migrate that customization to view/helper overrides. Open an issue at https://github.com/vishaltps/solid_queue_monitor/issues if you need guidance.
+
 ## [1.3.0] - 2026-04-16
 
 ### Added

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    solid_queue_monitor (1.3.0)
+    solid_queue_monitor (2.0.0)
       rails (>= 7.0)
       solid_queue (>= 0.1.0)
 

@@ -72,7 +72,7 @@ A lightweight, zero-dependency web interface for monitoring Solid Queue backgrou
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'solid_queue_monitor', '~> 1.2'
+gem 'solid_queue_monitor', '~> 2.0'
 ```
 
 Then execute:
@@ -208,9 +208,23 @@ This makes it easy to find specific jobs when debugging issues in your applicati
 
 ## Content Security Policy
 
-Solid Queue Monitor is compatible with strict Content Security Policy as of v1.3.0.
+Solid Queue Monitor is fully CSP-compatible as of v2.0.0. The dashboard works out of the box under strict policies — no nonce configuration is required.
 
-If your application uses nonce-based CSP (the Rails default when `content_security_policy_nonce_generator` is set), Solid Queue Monitor will automatically stamp the per-request nonce onto every inline `<style>` and `<script>` tag it emits. Ensure your nonce directives include both `script-src` and `style-src`:
+### Strict CSP (v2.0.0+)
+
+As of v2.0 the dashboard's CSS and JavaScript are served as external, content-hashed assets (e.g. `/solid_queue/assets/application-a1b2c3d4.css`) with `Cache-Control: immutable`. The dashboard emits zero inline `<style>` or `<script>` blocks. A strict policy that only allows `'self'` for both directives is sufficient:
+
+```ruby
+# config/initializers/content_security_policy.rb
+Rails.application.config.content_security_policy do |policy|
+  policy.script_src :self
+  policy.style_src  :self
+end
+```
+
+### Nonce-based CSP
+
+Nonce-based CSP is also supported. When `content_security_policy_nonce_generator` is configured, Solid Queue Monitor stamps the per-request nonce onto the `<link rel="stylesheet">` and `<script src="...">` tags it emits — so policies that exclude `'self'` and only allow nonces still work:
 
 ```ruby
 # config/initializers/content_security_policy.rb
@@ -223,7 +237,9 @@ Rails.application.config.content_security_policy_nonce_generator = ->(req) { Sec
 Rails.application.config.content_security_policy_nonce_directives = %w[script-src style-src]
 ```
 
-No other configuration is required. If your application runs CSP without nonces (e.g., strict `script-src 'self'` only), the monitor UI will not function — asset-extraction support is tracked for a future release.
+### Upgrading from v1.x
+
+v1.x emitted inline `<style nonce>` and `<script nonce>` blocks, so a nonce generator was effectively required for strict policies. v2.0 removes all inline blocks. If you added a nonce generator only to make the monitor work, you can keep it (no harm) or remove it.
 
 ## Contributing