react_on_rails_pro 16.7.0.rc.3 → 17.0.0.rc.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a4266ac7cb6a9cdbb62755a17d95282222b6909e64d41ff7b7a7bcf897c2f0a
-  data.tar.gz: 8372bde1ffd861b8f8026e6fa28f4a9f65130ec6c70a42cdfa09a33f6a449c5a
+  metadata.gz: d82436e63c02deff1774b11e01658f6f06a17bca6c583986aea35ac6f8b865de
+  data.tar.gz: e88f6d4495a06792faf61891d8aefe335323dd53461deb612412d5796d8ebe10
 SHA512:
-  metadata.gz: 40ebe444b6abb44184984519f44a61df910f69e9e0fa73841ae552de49ba799ed872e8fc3bd8d8b0af8ca27c5c88946fa8abc28278fe42ac0603ac3d5de8cfde
-  data.tar.gz: fd3568d5daff73971afddf96575237d2e07a738c972c1f0067e6ac8dc32ed4923c3dbdcf41fbe8dc06cb9d446c48b8544fb30e7ede7e8a57f9606fa2ec25dcc7
+  metadata.gz: 4867d95e20f8e7bb15732ea1d749d34f49e8232a8a16b4d8ce5c2203ada419d2d5815569208b410e3f6f3e01ae7dd842896922e686aae5f49edca13de9dd61f6
+  data.tar.gz: 40720afca29e6f6ef1a527d9674adf81bde008edc6b4da86cafc009e2c2ef6e75b6c338e3f4ff4a4ef9dd7d5924aba3d81b5a313eff195bafc0de2750f361752

data/Gemfile.development_dependencies

@@ -8,7 +8,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gem "react_on_rails", path: "../"
 
-gem "shakapacker", "9.6.1"
+gem "shakapacker", "10.1.0"
 gem "bootsnap", require: false
 gem "rails", "~> 7.1"
 gem "puma", "~> 6"

data/Gemfile.lock

@@ -9,7 +9,7 @@ GIT
 PATH
   remote: ..
   specs:
-    react_on_rails (16.7.0.rc.3)
+    react_on_rails (17.0.0.rc.1)
       addressable
       connection_pool
       execjs (~> 2.5)
@@ -20,7 +20,7 @@ PATH
 PATH
   remote: .
   specs:
-    react_on_rails_pro (16.7.0.rc.3)
+    react_on_rails_pro (17.0.0.rc.1)
       addressable
       async (>= 2.29)
       async-http (~> 0.95)
@@ -28,7 +28,7 @@ PATH
       io-endpoint (~> 0.17.0)
       jwt (>= 2.5, < 4)
       rainbow
-      react_on_rails (= 16.7.0.rc.3)
+      react_on_rails (= 17.0.0.rc.1)
 
 GEM
   remote: https://rubygems.org/
@@ -296,7 +296,7 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.2.5)
-    rack-proxy (0.7.7)
+    rack-proxy (0.8.2)
       rack
     rack-session (2.1.1)
       base64 (>= 0.1.0)
@@ -425,7 +425,7 @@ GEM
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
     semantic_range (3.1.1)
-    shakapacker (9.6.1)
+    shakapacker (10.1.0)
       activesupport (>= 5.2)
       package_json
       rack-proxy (>= 0.6.1)
@@ -539,7 +539,7 @@ DEPENDENCIES
   sass-rails
   scss_lint
   selenium-webdriver (= 4.9.0)
-  shakapacker (= 9.6.1)
+  shakapacker (= 10.1.0)
   simplecov (~> 0.16.1)
   spring
   spring-watcher-listen

data/app/controllers/react_on_rails_pro/rolling_deploy/bundles_controller.rb

@@ -13,9 +13,12 @@ module ReactOnRailsPro
     # ReactOnRailsPro::RollingDeployAdapters::Http adapter on the next
     # deploy's build CI consumes both endpoints.
     #
-    # Auto-mounted by the engine when `config.rolling_deploy_adapter` is the
-    # Http adapter (or a subclass). Users who need a custom mount path or want
-    # to layer their own auth middleware can mount manually:
+    # When `config.rolling_deploy_adapter` is the built-in Http adapter, the
+    # Pro engine auto-mounts this controller at
+    # `config.rolling_deploy_mount_path` (default:
+    # `/react_on_rails_pro/rolling_deploy`). Set the mount path to nil or blank
+    # to opt out of the auto-mount. Use `draw_routes` only when you need a
+    # manual mount, such as a secondary path or app-specific routing wrapper:
     #
     #   # config/routes.rb
     #   ReactOnRailsPro::RollingDeploy::BundlesController.draw_routes(
@@ -23,10 +26,11 @@ module ReactOnRailsPro
     #     path: "/internal/rolling-deploy"
     #   )
     #
-    # Callers that need to mount the controller more than once (for example,
-    # the engine auto-mount plus a user-controlled secondary path) must pass
-    # a distinct `as_prefix:` per call so Rails' named-route registry
-    # doesn't raise `ArgumentError: Invalid route name, already in use`.
+    # The engine auto-mount uses an internal route-helper prefix so existing
+    # manual mounts that use the default prefix keep booting during upgrades.
+    # Multiple manual mounts still need distinct `as_prefix:` values so Rails'
+    # named-route registry doesn't raise `ArgumentError: Invalid route name,
+    # already in use`.
     #
     # Security:
     #   * Bearer-token auth via `Authorization: Bearer <token>`, constant-time
@@ -54,11 +58,19 @@ module ReactOnRailsPro
       before_action :set_no_store_headers
 
       DEFAULT_ROUTE_PREFIX = "react_on_rails_pro_rolling_deploy"
+      SAFE_HASH_PATTERN = ReactOnRailsPro::RollingDeploy::SAFE_HASH_PATTERN
+      # Rails route requirements reject anchor characters, while the route
+      # matcher applies segment constraints to the full segment. Derived from
+      # SAFE_HASH_PATTERN by stripping the \A/\z anchors; the controller still
+      # performs the anchored defense-in-depth validation before any filesystem
+      # lookup.
+      ROUTE_HASH_PATTERN = Regexp.new(SAFE_HASH_PATTERN.source.delete_prefix("\\A").delete_suffix("\\z"))
 
       class << self
-        # Helper for users who want to mount manually under a custom path. The
-        # auto-mount path uses these same route definitions via the engine
-        # initializer (see ReactOnRailsPro::Engine).
+        # Helper for manual route mounts. The Pro engine uses these same route
+        # definitions for the default auto-mount when the built-in Http adapter
+        # is configured, with an internal `as_prefix:` to avoid collisions with
+        # existing manual mounts.
         #
         # `as_prefix:` controls the generated named-route helpers
         # (`<prefix>_manifest`, `<prefix>_bundle`). Callers that mount the
@@ -71,7 +83,7 @@ module ReactOnRailsPro
                      as: :"#{as_prefix}_manifest")
           mapper.get("#{path}/bundles/:hash",
                      to: "react_on_rails_pro/rolling_deploy/bundles#show",
-                     constraints: { hash: SAFE_HASH_PATTERN },
+                     constraints: { hash: ROUTE_HASH_PATTERN },
                      as: :"#{as_prefix}_bundle")
         end
       end
@@ -80,8 +92,6 @@ module ReactOnRailsPro
       # path-traversal value through, the controller still rejects it
       # before any disk lookup because the hash must be in the
       # (regex-validated) current-hash set.
-      SAFE_HASH_PATTERN = ReactOnRailsPro::RollingDeploy::SAFE_HASH_PATTERN
-
       # Tarball entry name reserved for the server bundle. Companion assets
       # whose basename collides with this are skipped to keep the receiver
       # from extracting the wrong bytes into the bundle slot.

data/lib/react_on_rails_pro/configuration.rb

@@ -180,6 +180,8 @@ module ReactOnRailsPro
       self.rolling_deploy_adapter = rolling_deploy_adapter
       self.rolling_deploy_token = rolling_deploy_token
       self.rolling_deploy_previous_url = rolling_deploy_previous_url
+      # Constructor nil/blank means "use the default"; configure-block assignment
+      # can still set nil/blank later to opt out of the engine auto-mount.
       self.rolling_deploy_mount_path = rolling_deploy_mount_path.presence || DEFAULT_ROLLING_DEPLOY_MOUNT_PATH
       self.ssr_pre_hook_js = ssr_pre_hook_js
       self.assets_to_copy = assets_to_copy
@@ -298,10 +300,13 @@ module ReactOnRailsPro
 
     def validate_url
       URI(renderer_url)
-    rescue URI::InvalidURIError => e
-      message = "Unparseable ReactOnRailsPro.config.renderer_url #{renderer_url} provided.\n" \
-                "#{e.message}"
-      raise ReactOnRailsPro::Error, message
+    rescue URI::InvalidURIError
+      # Deliberately do NOT echo renderer_url or the URI error message: a
+      # malformed renderer_url may embed credentials (https://:password@host),
+      # and reproducing it here would leak the password into logs/error reporters.
+      raise ReactOnRailsPro::Error,
+            "ReactOnRailsPro.config.renderer_url is not a parseable URI. Verify the value " \
+            "(it is not echoed here because it may contain credentials)."
     end
 
     def validate_remote_bundle_cache_adapter
@@ -362,7 +367,7 @@ module ReactOnRailsPro
               "config.rolling_deploy_token is required when using the built-in " \
               "ReactOnRailsPro::RollingDeployAdapters::Http adapter. Generate one " \
               "with SecureRandom.hex(32) and set it on both Rails and your build CI. " \
-              "See docs/pro/rolling-deploy-http-adapter.md."
+              "See docs/pro/rolling-deploy-adapters.md."
       end
       # Compare on `bytesize` (not `length`) so the validator matches the
       # byte-level constant-time check in `BundlesController#authenticate_rolling_deploy_request`.
@@ -376,7 +381,7 @@ module ReactOnRailsPro
             "config.rolling_deploy_token must be at least " \
             "#{ROLLING_DEPLOY_TOKEN_MIN_LENGTH} bytes (got #{token.bytesize}). " \
             "Generate a stronger token with SecureRandom.hex(32). " \
-            "See docs/pro/rolling-deploy-http-adapter.md."
+            "See docs/pro/rolling-deploy-adapters.md."
     end
 
     def validate_rolling_deploy_upload_signature
@@ -450,67 +455,108 @@ module ReactOnRailsPro
     end
 
     def setup_renderer_password
+      resolve_renderer_password
+      # The password is sent to the Node Renderer in the request body, never via
+      # the URL (the HTTP client connects to scheme://host:port and the renderer
+      # authenticates on the body field). A password embedded in renderer_url is
+      # purely a Rails-side config convenience — once resolved above, strip it
+      # from the stored URL so the credential can never leak through any log line
+      # or error message that interpolates renderer_url downstream.
+      strip_renderer_url_userinfo
+    end
+
+    def resolve_renderer_password
       # Explicit passwords, including values loaded from ENV in the initializer, skip URL extraction.
       # Blank values (nil or "") fall through so URL extraction and ENV fallback still apply.
       return if renderer_password.present?
 
-      uri = URI(renderer_url)
-      self.renderer_password = uri.password
+      self.renderer_password = URI(renderer_url).password
 
       # Mirror Node-side defaults: if Rails config and URL are both missing a password,
       # use RENDERER_PASSWORD from env.
       self.renderer_password = ENV.fetch("RENDERER_PASSWORD", nil) if renderer_password.blank?
     end
 
+    def strip_renderer_url_userinfo
+      return if renderer_url.blank?
+
+      uri = URI(renderer_url)
+      return if uri.userinfo.nil?
+
+      # Order matters: URI rejects a password without a user, so clear password first.
+      uri.password = nil
+      uri.user = nil
+      self.renderer_url = uri.to_s
+    end
+
+    KNOWN_WEAK_RENDERER_PASSWORDS = %w[
+      devPassword myPassword1 password changeme admin secret test renderer
+    ].to_set(&:downcase).freeze
+
+    MIN_RENDERER_PASSWORD_LENGTH = 16
+
     def validate_renderer_password_for_production
-      # Defense-in-depth: skip validation when a password is already configured (e.g. extracted
-      # from the renderer URL by setup_renderer_password, or set directly in the initializer).
-      return if renderer_password.present?
       return unless node_renderer?
 
-      # Fail closed: only skip validation when every present runtime env is explicitly
-      # development or test. This mirrors the Node-side runtimeEnvsAllowDevelopmentDefaults()
-      # which checks both NODE_ENV and RAILS_ENV. Checking NODE_ENV here surfaces
-      # misconfigurations (e.g. NODE_ENV=production + RAILS_ENV=development) at Rails boot
-      # time rather than waiting for the Node renderer to reject the request.
       runtime_envs = [ENV.fetch("RAILS_ENV", nil), ENV.fetch("NODE_ENV", nil)].compact_blank.map(&:downcase)
       allowed_envs = %w[development test].freeze
-      return if runtime_envs.any? && runtime_envs.all? { |e| allowed_envs.include?(e) }
+      is_production_like = !(runtime_envs.any? && runtime_envs.all? { |e| allowed_envs.include?(e) })
 
-      raise ReactOnRailsPro::Error, <<~MSG
-        RENDERER_PASSWORD must be set in production-like environments (staging, production, etc.)
-        when using the NodeRenderer.
+      if renderer_password.blank?
+        return unless is_production_like
 
-        In development and test environments, the renderer password is optional and no authentication
-        is required. In all other environments, you must explicitly configure a password to secure
-        communication between Rails and the Node Renderer.
+        raise ReactOnRailsPro::Error, <<~MSG
+          RENDERER_PASSWORD must be set in production-like environments (staging, production, etc.)
+          when using the NodeRenderer.
 
-        To fix this, set the RENDERER_PASSWORD environment variable:
+          In development and test environments, the renderer password is optional and no authentication
+          is required. In all other environments, you must explicitly configure a password to secure
+          communication between Rails and the Node Renderer.
 
-          export RENDERER_PASSWORD="your-secure-password"
+          To fix this, set the RENDERER_PASSWORD environment variable:
 
-        Rails reads it automatically. If you prefer to make it explicit in your initializer:
+            export RENDERER_PASSWORD="your-secure-password"
 
-          # config/initializers/react_on_rails_pro.rb
-          ReactOnRailsPro.configure do |config|
-            config.renderer_password = ENV.fetch("RENDERER_PASSWORD")
-          end
+          Rails reads it automatically. If you prefer to make it explicit in your initializer:
 
-        Set the same password for the Node Renderer via the RENDERER_PASSWORD environment variable.
-        Rails resolves the password in this order:
-          1) config.renderer_password (blank values fall through to the next step)
-          2) Password embedded in config.renderer_url (for example, https://:password@host:3800)
-          3) ENV["RENDERER_PASSWORD"]
+            # config/initializers/react_on_rails_pro.rb
+            ReactOnRailsPro.configure do |config|
+              config.renderer_password = ENV.fetch("RENDERER_PASSWORD")
+            end
 
-        If Rails and the Node Renderer disagree about startup behavior, verify both RAILS_ENV and NODE_ENV.
+          Set the same password for the Node Renderer via the RENDERER_PASSWORD environment variable.
+          Rails resolves the password in this order:
+            1) config.renderer_password (blank values fall through to the next step)
+            2) Password embedded in config.renderer_url (for example, https://:password@host:3800)
+            3) ENV["RENDERER_PASSWORD"]
 
-        Environment matrix (both RAILS_ENV and NODE_ENV are checked):
-          development/test — password optional when every set env is development or test
-          (both unset)     — treated as production-like; RENDERER_PASSWORD required
-          staging          — RENDERER_PASSWORD required
-          production       — RENDERER_PASSWORD required
-          (mixed envs)     — RENDERER_PASSWORD required (e.g. NODE_ENV=production + RAILS_ENV=development)
-      MSG
+          If Rails and the Node Renderer disagree about startup behavior, verify both RAILS_ENV and NODE_ENV.
+
+          Environment matrix (both RAILS_ENV and NODE_ENV are checked):
+            development/test — password optional when every set env is development or test
+            (both unset)     — treated as production-like; RENDERER_PASSWORD required
+            staging          — RENDERER_PASSWORD required
+            production       — RENDERER_PASSWORD required
+            (mixed envs)     — RENDERER_PASSWORD required (e.g. NODE_ENV=production + RAILS_ENV=development)
+        MSG
+      end
+
+      warn_if_renderer_password_weak
+    end
+
+    def warn_if_renderer_password_weak
+      if KNOWN_WEAK_RENDERER_PASSWORDS.include?(renderer_password.downcase)
+        # Don't log the literal value — even a known-default value is the
+        # user's *current* live credential until they rotate it.
+        Rails.logger.warn "[react_on_rails_pro] renderer_password matches a known-default value. " \
+                          "Set RENDERER_PASSWORD to a random value of at least " \
+                          "#{MIN_RENDERER_PASSWORD_LENGTH} characters."
+      elsif renderer_password.length < MIN_RENDERER_PASSWORD_LENGTH
+        Rails.logger.warn "[react_on_rails_pro] renderer_password is shorter than " \
+                          "#{MIN_RENDERER_PASSWORD_LENGTH} characters " \
+                          "(current length: #{renderer_password.length}). " \
+                          "Consider using a stronger password."
+      end
     end
   end
 end

data/lib/react_on_rails_pro/engine.rb

@@ -7,13 +7,30 @@ module ReactOnRailsPro
     LICENSE_URL = "https://pro.reactonrails.com/"
     # TODO: Remove this legacy migration warning path after 16.5.0 stable release (target: 2026-05-31).
     LEGACY_LICENSE_FILE = "config/react_on_rails_pro_license.key"
+    ROLLING_DEPLOY_AUTO_ROUTE_PREFIX = "react_on_rails_pro_auto_rolling_deploy"
     private_constant :LICENSE_URL
     private_constant :LEGACY_LICENSE_FILE
+    private_constant :ROLLING_DEPLOY_AUTO_ROUTE_PREFIX
 
     initializer "react_on_rails_pro.routes" do
       ActionDispatch::Routing::Mapper.include ReactOnRailsPro::Routes
     end
 
+    initializer "react_on_rails_pro.rolling_deploy_routes" do |app|
+      app.routes.prepend do
+        pro_config = ReactOnRailsPro.configuration
+        mount_path = pro_config.rolling_deploy_mount_path
+
+        if pro_config.rolling_deploy_http_adapter? && mount_path.present?
+          ReactOnRailsPro::RollingDeploy::BundlesController.draw_routes(
+            self,
+            path: mount_path,
+            as_prefix: ROLLING_DEPLOY_AUTO_ROUTE_PREFIX
+          )
+        end
+      end
+    end
+
     # Check license status on Rails startup and log appropriately
     # App continues running regardless of license status
     initializer "react_on_rails_pro.check_license" do

data/lib/react_on_rails_pro/renderer_cache_helpers.rb

@@ -3,7 +3,6 @@
 require "fileutils"
 require "securerandom"
 require "pathname"
-require "set"
 
 require "react_on_rails_pro/error"
 

data/lib/react_on_rails_pro/rolling_deploy_adapters/http.rb

@@ -4,6 +4,7 @@ require "fileutils"
 require "json"
 require "net/http"
 require "openssl"
+require "tempfile"
 require "uri"
 
 require "react_on_rails_pro/error"
@@ -21,7 +22,7 @@ module ReactOnRailsPro
     # The currently-deployed Rails server already has the bundles + companion
     # assets sitting on disk; this adapter pulls them via authenticated HTTP.
     #
-    # Configuration (see docs/pro/rolling-deploy-http-adapter.md):
+    # Configuration (see docs/pro/rolling-deploy-adapters.md):
     #
     #   ReactOnRailsPro.configure do |config|
     #     config.rolling_deploy_adapter      = ReactOnRailsPro::RollingDeployAdapters::Http
@@ -32,6 +33,7 @@ module ReactOnRailsPro
     # Error contract matches the rolling_deploy_adapter protocol: every
     # exception is caught and reported as a warning so a failed seed degrades
     # to the runtime 410-retry fallback rather than failing the build.
+    # rubocop:disable Metrics/ClassLength
     class Http
       # Per-request HTTP timeouts. The outer Timeout.timeout in
       # RollingDeployCacheStager bounds the total wall-clock budget (10s for
@@ -49,6 +51,12 @@ module ReactOnRailsPro
       # exhaust disk via a zip-bomb-style response.
       DEFAULT_MAX_SIZE = ReactOnRailsPro::RollingDeploy::Tarball::DEFAULT_MAX_SIZE
 
+      # Maximum compressed bytes accepted from /bundles/:hash before extract
+      # enforces DEFAULT_MAX_SIZE on the uncompressed tarball contents.
+      # Set near 1/4 of DEFAULT_MAX_SIZE: JS bundles typically decompress 3-5x,
+      # so a 50 MB wire payload that decompresses beyond 200 MB is anomalous.
+      COMPRESSED_BODY_CAP = 50 * 1024 * 1024
+
       LOG_PREFIX = "[ReactOnRailsPro::RollingDeployAdapters::Http]"
 
       # Wire-format constant: must stay in sync with
@@ -101,10 +109,13 @@ module ReactOnRailsPro
 
           dir = bundle_dir(bundle_hash)
           FileUtils.mkdir_p(dir)
-          tarball_body = download_bundle_tarball(base, bundle_hash)
-          return cleanup_and_return(dir, nil) if tarball_body.nil?
 
-          extract_payload(tarball_body, dir, bundle_hash)
+          result = download_bundle_tarball(base, bundle_hash) do |tarball|
+            extract_payload(tarball, dir, bundle_hash)
+          end
+          return cleanup_and_return(dir, nil) if result.nil?
+
+          result
         rescue StandardError => e
           cleanup_and_return(dir, nil) if dir
           warn_and_return("fetch(#{bundle_hash.inspect}) failed: #{e.class}: #{e.message}", nil)
@@ -113,7 +124,7 @@ module ReactOnRailsPro
         # Intentional no-op. The running Rails server IS the artifact store —
         # bundle + companion assets are already on local disk where the
         # mountable BundlesController will serve them on the next deploy's
-        # build CI. Documented in docs/pro/rolling-deploy-http-adapter.md.
+        # build CI. Documented in docs/pro/rolling-deploy-adapters.md.
         def upload(_bundle_hash, bundle:, assets:)
           # See class doc above.
         end
@@ -168,26 +179,77 @@ module ReactOnRailsPro
         end
 
         def download_bundle_tarball(base, bundle_hash)
-          response = http_get(URI("#{base}/bundles/#{bundle_hash}"))
-          unless response.is_a?(Net::HTTPSuccess)
-            Rails.logger.warn(
-              "#{LOG_PREFIX} bundles/#{bundle_hash} returned HTTP #{response.code}; skipping this hash."
-            )
-            return nil
+          Tempfile.create(["rolling-deploy-download-", ".tar.gz"]) do |tmp|
+            tmp.binmode
+            response = http_stream(URI("#{base}/bundles/#{bundle_hash}")) do |streaming_response|
+              unless streaming_response.is_a?(Net::HTTPSuccess)
+                Rails.logger.warn(
+                  "#{LOG_PREFIX} bundles/#{bundle_hash} returned HTTP #{streaming_response.code}; skipping this hash."
+                )
+                # Drain the error body (capped) so Net::HTTP can finish the
+                # response cleanly. If the body itself exceeds the cap,
+                # `drain_response_body` raises and `fetch`'s rescue logs a second
+                # "fetch(...) failed" warning alongside the "skipping this hash"
+                # line above. Both lines are expected for an oversized error
+                # body — the pair signals "non-2xx, and the body was too large
+                # to drain," not a separate failure.
+                drain_response_body(streaming_response)
+                next
+              end
+
+              stream_response_body(streaming_response, tmp)
+            end
+            # Non-local return: exits `download_bundle_tarball`; Tempfile.create's
+            # ensure block still unlinks `tmp` before the method returns.
+            return nil unless response.is_a?(Net::HTTPSuccess)
+
+            tmp.flush
+            tmp.rewind
+            yield tmp
           end
-          # `response.body` buffers the full compressed tarball into a single
-          # Ruby String before `Tarball.extract` can enforce DEFAULT_MAX_SIZE on
-          # uncompressed bytes. For v1 this is acceptable: build CI fetches are
-          # infrequent, the 200 MB uncompressed ceiling fits in heap, and the
-          # read timeout bounds slow responses. A future follow-up should stream
-          # the body into a Tempfile with its own compressed-byte cap (mirroring
-          # the controller's `compose_to_tempfile`) so an oversized wire payload
-          # cannot fill build-CI heap before extraction aborts.
-          response.body
         end
 
-        def extract_payload(tarball_body, dir, bundle_hash)
-          ReactOnRailsPro::RollingDeploy::Tarball.extract(tarball_body, dir, max_size: DEFAULT_MAX_SIZE)
+        def stream_response_body(response, io)
+          each_capped_body_chunk(response, context: "bundle body") { |chunk| io.write(chunk) }
+        end
+
+        # Reads and discards a non-success body solely to enforce the
+        # compressed-byte cap. No block is passed, so `each_capped_body_chunk`
+        # counts bytes without writing them anywhere.
+        def drain_response_body(response)
+          each_capped_body_chunk(response, context: "non-success response body")
+        end
+
+        def each_capped_body_chunk(response, context:)
+          bytes = 0
+          response.read_body do |chunk|
+            bytes += chunk.bytesize
+            # Strictly greater-than (`>`, not `>=`): exactly COMPRESSED_BODY_CAP
+            # bytes are allowed through, so the cap is an exclusive ceiling. The
+            # raise fires before `yield chunk`, so the offending chunk is counted
+            # but never written/drained — the Tempfile never sees more than
+            # COMPRESSED_BODY_CAP bytes.
+            if bytes > COMPRESSED_BODY_CAP
+              raise ReactOnRailsPro::Error,
+                    "#{context} exceeded compressed body cap " \
+                    "(#{compressed_body_cap_label}); aborting download"
+            end
+            yield chunk if block_given?
+          end
+        end
+
+        # Dynamic (not a constant) so specs that `stub_const` the cap to a small
+        # value still see the stubbed value reflected in the warning message.
+        def compressed_body_cap_label
+          megabyte_bytes = 1024 * 1024
+          megabytes = COMPRESSED_BODY_CAP / megabyte_bytes
+          return "#{megabytes} MB" if megabytes.positive? && megabytes * megabyte_bytes == COMPRESSED_BODY_CAP
+
+          "#{COMPRESSED_BODY_CAP} bytes"
+        end
+
+        def extract_payload(tarball_source, dir, bundle_hash)
+          ReactOnRailsPro::RollingDeploy::Tarball.extract(tarball_source, dir, max_size: DEFAULT_MAX_SIZE)
           bundle_path = File.join(dir, BUNDLE_ENTRY_NAME)
           unless File.file?(bundle_path)
             return cleanup_and_return(
@@ -225,18 +287,29 @@ module ReactOnRailsPro
         # connection pooling would force us to manage lifecycle / cleanup
         # across threads.
         def http_get(uri, read_timeout: DEFAULT_READ_TIMEOUT_SECONDS)
+          http_for(uri, read_timeout: read_timeout).request(build_request(uri))
+        end
+
+        def http_stream(uri, read_timeout: DEFAULT_READ_TIMEOUT_SECONDS, &block)
+          http_for(uri, read_timeout: read_timeout).request(build_request(uri), &block)
+        end
+
+        def build_request(uri)
           request = Net::HTTP::Get.new(uri.request_uri)
           token = configured_token
           request["Authorization"] = "Bearer #{token}" unless token.empty?
           request["Accept-Encoding"] = "identity" # tarball is already gzipped; don't double-compress
+          request
+        end
 
+        def http_for(uri, read_timeout:)
           http = Net::HTTP.new(uri.host, uri.port)
           http.use_ssl = (uri.scheme == "https")
           warn_plain_http_token(uri) unless http.use_ssl?
           http.verify_mode = OpenSSL::SSL::VERIFY_PEER if http.use_ssl?
           http.open_timeout = DEFAULT_OPEN_TIMEOUT_SECONDS
           http.read_timeout = read_timeout
-          http.request(request)
+          http
         end
 
         # Plain-HTTP guardrail. The full HTTPS-only guard lands in PR 2; until
@@ -260,5 +333,6 @@ module ReactOnRailsPro
         end
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/react_on_rails_pro/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module ReactOnRailsPro
-  VERSION = "16.7.0.rc.3"
+  VERSION = "17.0.0.rc.1"
   PROTOCOL_VERSION = "2.0.0"
 end

data/react_on_rails_pro.gemspec

@@ -34,7 +34,7 @@ Gem::Specification.new do |s|
   s.executables   = s.files.grep(%r{^exe/}) { |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.required_ruby_version = ">= 3.3"
+  s.required_ruby_version = ">= 3.3.0"
 
   s.add_runtime_dependency "addressable"
   s.add_runtime_dependency "async", ">= 2.29"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: react_on_rails_pro
 version: !ruby/object:Gem::Version
-  version: 16.7.0.rc.3
+  version: 17.0.0.rc.1
 platform: ruby
 authors:
 - Justin Gordon
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-05-27 00:00:00.000000000 Z
+date: 2026-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -120,14 +120,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.7.0.rc.3
+        version: 17.0.0.rc.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 16.7.0.rc.3
+        version: 17.0.0.rc.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -311,7 +311,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.3'
+      version: 3.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="