react_on_rails_pro 16.7.0.rc.2 → 16.7.0.rc.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3846c8e0c8bc0e3f48b7f09f2068b7f4935a4e0a69b3b07160f635d57988c8e9
-  data.tar.gz: eecf2b6b0be9d82ea7cde3a8b60e9b2ff3b1d21e247175601ff6c54de4492eeb
+  metadata.gz: 7a4266ac7cb6a9cdbb62755a17d95282222b6909e64d41ff7b7a7bcf897c2f0a
+  data.tar.gz: 8372bde1ffd861b8f8026e6fa28f4a9f65130ec6c70a42cdfa09a33f6a449c5a
 SHA512:
-  metadata.gz: 206fba54350de7c2423b02c4a1a366674030ab178db0007b52e26a638c867d4cb164d8120b9281f90694b046b241e1ff5ed98769483636c05b41825086d92d91
-  data.tar.gz: a93ea4c57242bbf7d272856e2bbba8379af3e19c2dd29ee0901bcd60f4b296d27ea3b2eb6136f38d5a726601ed2c6967d9c8512deff149f1f1d10f637825f43d
+  metadata.gz: 40ebe444b6abb44184984519f44a61df910f69e9e0fa73841ae552de49ba799ed872e8fc3bd8d8b0af8ca27c5c88946fa8abc28278fe42ac0603ac3d5de8cfde
+  data.tar.gz: fd3568d5daff73971afddf96575237d2e07a738c972c1f0067e6ac8dc32ed4923c3dbdcf41fbe8dc06cb9d446c48b8544fb30e7ede7e8a57f9606fa2ec25dcc7

data/.gitignore

@@ -6,7 +6,6 @@
 /pkg/
 /spec/reports/
 *.gem
-/vendor/
 tmp
 
 **/spec/examples.txt

data/.rubocop.yml

@@ -17,6 +17,18 @@ AllCops:
     - 'spec/dummy/bin/**/*'
     - 'bin/**/*'
 
+Naming/VariableNumber:
+  AllowedIdentifiers:
+    - p99_9
+
+RSpec/FilePath:
+  Exclude:
+    - 'spec/load/**/*_spec.rb'
+
+RSpec/SpecFilePathFormat:
+  Exclude:
+    - 'spec/load/**/*_spec.rb'
+
 RSpec/BeforeAfterAll:
   Exclude:
     - 'spec/react_on_rails/generators/dev_tests_generator_spec.rb'

data/CLAUDE.md

@@ -16,11 +16,14 @@ Pro-specific guidance. See root CLAUDE.md for general project rules.
 
 ### Linting
 
-Pro has its **own** ESLint and Prettier configs (separate from root): `eslint.config.mjs`, `.prettierrc`, `.prettierignore`.
+Pro uses the root ESLint and Prettier configs. Run JS/TS lint and formatting from the repo root.
 
-- Pro ESLint: `cd react_on_rails_pro && pnpm run eslint .`
-- Pro Prettier check: `cd react_on_rails_pro && pnpm run prettier --check .`
-- CI runs both root and Pro linting separately
+- JS/TS lint: `pnpm run eslint --report-unused-disable-directives`
+- Prettier check: `pnpm start format.listDifferent`
+- Pro Ruby lint: `cd react_on_rails_pro && bundle exec rubocop --ignore-parent-exclusion`
+- Pro RBS validation: `cd react_on_rails_pro && bundle exec rake rbs:validate`
+- Pro TypeScript check: `pnpm run nps check-typescript`
+- CI runs unified ESLint/Prettier in `lint-js-and-ruby.yml`; Pro Ruby/RBS/TypeScript checks run in the `pro-lint` job in `pro-test-package-and-gem.yml`
 
 ### Building
 
@@ -91,8 +94,7 @@ Order matters. If the base package isn't published first, the chain breaks.
 GitHub Actions workflows for Pro (at repo root `.github/workflows/`):
 
 - `pro-integration-tests.yml` — Pro dummy app integration tests
-- `pro-lint.yml` — Pro-specific linting
-- `pro-test-package-and-gem.yml` — Pro gem + JS package tests
+- `pro-test-package-and-gem.yml` — Pro gem + JS package tests, plus Pro Ruby/RBS/TypeScript linting
 
 ## Key Differences from Open-Source
 
@@ -102,5 +104,4 @@ GitHub Actions workflows for Pro (at repo root `.github/workflows/`):
 | SSR                | ExecJS or basic Node   | Dedicated node renderer process                                     |
 | Server bundles     | Public                 | Private (`ssr-generated/`, `enforce_private_server_bundles = true`) |
 | Transpiler         | SWC                    | Babel (needed for advanced transforms)                              |
-| Lint/format config | Root configs           | Own ESLint + Prettier configs                                       |
 | Test commands      | `rake run_rspec:dummy` | Separate Pro commands (see above)                                   |

data/Gemfile.development_dependencies

@@ -55,9 +55,10 @@ group :development, :test do
   gem "scss_lint", require: false
   gem "fakefs", require: "fakefs/safe"
 
-  # Ruby 3.5+ removed these from the default gem set; they must now be declared explicitly
+  # Ruby 3.4+ removed these from the default gem set; they must now be declared explicitly
   # to avoid `cannot load such file` errors from gems that lazy-require them (e.g. jbuilder).
   gem "benchmark", require: false
+  gem "csv", require: false
   gem "logger", require: false
   gem "ostruct", require: false
   # base64 was promoted from a default gem to a bundled gem in Ruby 3.4, so Bundler-managed

data/Gemfile.lock

@@ -9,7 +9,7 @@ GIT
 PATH
   remote: ..
   specs:
-    react_on_rails (16.7.0.rc.2)
+    react_on_rails (16.7.0.rc.3)
       addressable
       connection_pool
       execjs (~> 2.5)
@@ -20,16 +20,15 @@ PATH
 PATH
   remote: .
   specs:
-    react_on_rails_pro (16.7.0.rc.2)
+    react_on_rails_pro (16.7.0.rc.3)
       addressable
       async (>= 2.29)
-      connection_pool
+      async-http (~> 0.95)
       execjs (~> 2.9)
-      http-2 (>= 1.1.1)
-      httpx (~> 1.5)
-      jwt (>= 2.7)
+      io-endpoint (~> 0.17.0)
+      jwt (>= 2.5, < 4)
       rainbow
-      react_on_rails (= 16.7.0.rc.2)
+      react_on_rails (= 16.7.0.rc.3)
 
 GEM
   remote: https://rubygems.org/
@@ -117,6 +116,19 @@ GEM
       io-event (~> 1.11)
       metrics (~> 0.12)
       traces (~> 0.18)
+    async-http (0.95.1)
+      async (>= 2.10.2)
+      async-pool (~> 0.11)
+      io-endpoint (~> 0.14)
+      io-stream (~> 0.6)
+      metrics (~> 0.12)
+      protocol-http (~> 0.62)
+      protocol-http1 (~> 0.39)
+      protocol-http2 (~> 0.26)
+      protocol-url (~> 0.2)
+      traces (~> 0.10)
+    async-pool (0.11.2)
+      async (>= 2.0)
     base64 (0.3.0)
     benchmark (0.5.0)
     bigdecimal (4.0.1)
@@ -153,6 +165,7 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
+    csv (3.3.5)
     date (3.5.1)
     diff-lcs (1.5.1)
     docile (1.4.0)
@@ -181,13 +194,12 @@ GEM
     graphiql-rails (1.10.0)
       railties
     hashdiff (1.1.0)
-    http-2 (1.1.1)
-    httpx (1.7.0)
-      http-2 (>= 1.0.0)
     i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     io-console (0.8.2)
+    io-endpoint (0.17.2)
     io-event (1.14.2)
+    io-stream (0.13.0)
     irb (1.17.0)
       pp (>= 0.6.0)
       prism (>= 1.3.0)
@@ -258,6 +270,14 @@ GEM
       prettyprint
     prettyprint (0.2.0)
     prism (1.9.0)
+    protocol-hpack (1.5.1)
+    protocol-http (0.62.2)
+    protocol-http1 (0.39.0)
+      protocol-http (~> 0.62)
+    protocol-http2 (0.26.0)
+      protocol-hpack (~> 1.4)
+      protocol-http (~> 0.62)
+    protocol-url (0.4.0)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
@@ -483,6 +503,7 @@ DEPENDENCIES
   capybara (>= 3.38.0)
   capybara-screenshot
   commonmarker
+  csv
   equivalent-xml
   fakefs
   faker

data/README.md

@@ -2,7 +2,6 @@
 
 [![License](https://img.shields.io/badge/license-Commercial-blue.svg)](./LICENSE)
 [![Build Integration Tests](https://github.com/shakacode/react_on_rails/actions/workflows/pro-integration-tests.yml/badge.svg)](https://github.com/shakacode/react_on_rails/actions/workflows/pro-integration-tests.yml)
-[![Build Lint](https://github.com/shakacode/react_on_rails/actions/workflows/pro-lint.yml/badge.svg)](https://github.com/shakacode/react_on_rails/actions/workflows/pro-lint.yml)
 [![Build Package Tests](https://github.com/shakacode/react_on_rails/actions/workflows/pro-test-package-and-gem.yml/badge.svg)](https://github.com/shakacode/react_on_rails/actions/workflows/pro-test-package-and-gem.yml)
 
 **Performance enhancements and advanced features for [React on Rails](https://github.com/shakacode/react_on_rails).**
@@ -257,7 +256,7 @@ end
 
 ### Prerequisites
 
-- **Ruby**: >= 3.0
+- **Ruby**: >= 3.3
 - **Rails**: >= 6.0 (recommended: 7.0+)
 - **React on Rails**: >= 11.0.7 (recommended: latest)
 - **Node.js**: >= 18 (for Node Renderer)
@@ -267,7 +266,7 @@ end
 
 | React on Rails Pro | React on Rails | Rails  | Ruby   | React   |
 | ------------------ | -------------- | ------ | ------ | ------- |
-| 16.x               | >= 16.0        | >= 7.0 | >= 3.2 | >= 18   |
+| 16.x               | >= 16.0        | >= 7.0 | >= 3.3 | >= 18   |
 | 3.x                | >= 13.0        | >= 6.0 | >= 3.0 | >= 16.8 |
 
 > **Note:** Pro version numbers were aligned with the core gem starting at 16.2.0. Pro 16.x is the direct successor to Pro 3.x/4.x.

data/app/controllers/react_on_rails_pro/rolling_deploy/bundles_controller.rb

@@ -0,0 +1,298 @@
+# frozen_string_literal: true
+
+require "active_support/security_utils"
+
+require "react_on_rails_pro/rolling_deploy/safe_hash_pattern"
+require "react_on_rails_pro/rolling_deploy/tarball"
+
+module ReactOnRailsPro
+  module RollingDeploy
+    # Server side of the built-in HTTP rolling-deploy adapter. Exposes the
+    # current deployment's bundle hashes (`GET /manifest`) and serves a
+    # gzipped tarball per hash (`GET /bundles/:hash`). The
+    # ReactOnRailsPro::RollingDeployAdapters::Http adapter on the next
+    # deploy's build CI consumes both endpoints.
+    #
+    # Auto-mounted by the engine when `config.rolling_deploy_adapter` is the
+    # Http adapter (or a subclass). Users who need a custom mount path or want
+    # to layer their own auth middleware can mount manually:
+    #
+    #   # config/routes.rb
+    #   ReactOnRailsPro::RollingDeploy::BundlesController.draw_routes(
+    #     self,
+    #     path: "/internal/rolling-deploy"
+    #   )
+    #
+    # Callers that need to mount the controller more than once (for example,
+    # the engine auto-mount plus a user-controlled secondary path) must pass
+    # a distinct `as_prefix:` per call so Rails' named-route registry
+    # doesn't raise `ArgumentError: Invalid route name, already in use`.
+    #
+    # Security:
+    #   * Bearer-token auth via `Authorization: Bearer <token>`, constant-time
+    #     compare (ActiveSupport::SecurityUtils.secure_compare). 401 returned
+    #     uniformly for missing / malformed / wrong token so callers can't
+    #     distinguish failure modes.
+    #   * `:hash` URL param is matched against an allowlist of the current
+    #     deployment's actual bundle hashes — anything else returns 404. The
+    #     hash never touches the filesystem layer.
+    #   * Responses include `Cache-Control: no-store` so a misconfigured
+    #     intermediary doesn't cache the bundle behind the auth check.
+    #   * Uses `protect_from_forgery with: :exception` (the Rails default)
+    #     rather than `:null_session`. CodeQL flags `:null_session` as a
+    #     weakened CSRF strategy, and an `ActionController::API` controller
+    #     with no `protect_from_forgery` at all as missing protection — both
+    #     are false positives here (this is a GET-only bearer-token API, so
+    #     CSRF never actually fires regardless of strategy), but `:exception`
+    #     on `ActionController::Base` is the form CodeQL accepts. The check
+    #     is a no-op at runtime because Rails only invokes
+    #     `verify_authenticity_token` on non-GET requests.
+    class BundlesController < ActionController::Base
+      protect_from_forgery with: :exception
+
+      before_action :authenticate_rolling_deploy_request
+      before_action :set_no_store_headers
+
+      DEFAULT_ROUTE_PREFIX = "react_on_rails_pro_rolling_deploy"
+
+      class << self
+        # Helper for users who want to mount manually under a custom path. The
+        # auto-mount path uses these same route definitions via the engine
+        # initializer (see ReactOnRailsPro::Engine).
+        #
+        # `as_prefix:` controls the generated named-route helpers
+        # (`<prefix>_manifest`, `<prefix>_bundle`). Callers that mount the
+        # controller more than once (e.g. auto-mount plus a secondary user
+        # mount) must pass distinct prefixes so the Rails route registry
+        # doesn't raise on duplicate names.
+        def draw_routes(mapper, path:, as_prefix: DEFAULT_ROUTE_PREFIX)
+          mapper.get("#{path}/manifest",
+                     to: "react_on_rails_pro/rolling_deploy/bundles#manifest",
+                     as: :"#{as_prefix}_manifest")
+          mapper.get("#{path}/bundles/:hash",
+                     to: "react_on_rails_pro/rolling_deploy/bundles#show",
+                     constraints: { hash: SAFE_HASH_PATTERN },
+                     as: :"#{as_prefix}_bundle")
+        end
+      end
+
+      # Defense-in-depth: even if the route constraint somehow let a
+      # path-traversal value through, the controller still rejects it
+      # before any disk lookup because the hash must be in the
+      # (regex-validated) current-hash set.
+      SAFE_HASH_PATTERN = ReactOnRailsPro::RollingDeploy::SAFE_HASH_PATTERN
+
+      # Tarball entry name reserved for the server bundle. Companion assets
+      # whose basename collides with this are skipped to keep the receiver
+      # from extracting the wrong bytes into the bundle slot.
+      #
+      # Wire-format constant: must stay in sync with
+      # `ReactOnRailsPro::RollingDeployAdapters::Http::BUNDLE_ENTRY_NAME`. If
+      # one side bumps the entry name (e.g. a protocol version change) the
+      # other must follow or the client extraction will fail to find the
+      # bundle file.
+      BUNDLE_ENTRY_NAME = "bundle.js"
+
+      PROTOCOL_VERSION = 1
+
+      def manifest
+        sources = safe_current_bundle_sources
+        render json: {
+          hashes: sources.map { |_, hash| hash },
+          rsc_enabled: ReactOnRailsPro.configuration.enable_rsc_support,
+          generated_at: Time.now.utc.iso8601,
+          protocol_version: PROTOCOL_VERSION
+        }
+      end
+
+      def show
+        hash = params[:hash].to_s
+        # Defense in depth — route constraint should already enforce this,
+        # but we also reject any value that slipped past it before any
+        # filesystem operation looks at it.
+        return head(:not_found) unless SAFE_HASH_PATTERN.match?(hash)
+
+        sources = safe_current_bundle_sources
+        match = sources.find { |_, h| h == hash }
+        return head(:not_found) unless match
+
+        bundle_path, _matched_hash = match
+        serve_bundle_tarball(bundle_path)
+      end
+
+      private
+
+      def authenticate_rolling_deploy_request
+        configured = ReactOnRailsPro.configuration.rolling_deploy_token.to_s
+        # If the controller is reached without a configured token, refuse
+        # unconditionally. This is defense-in-depth — the engine should not
+        # mount the controller in that state — but it makes the no-token
+        # mode a hard fail rather than an open endpoint.
+        return head(:unauthorized) if configured.empty?
+
+        provided = extract_bearer_token(request.headers["Authorization"])
+        return head(:unauthorized) if provided.empty?
+
+        # `secure_compare` raises ArgumentError when the two strings differ
+        # in length, so we gate on bytesize first. This does leak whether
+        # the provided token has the correct byte length, but the
+        # configuration validator enforces a minimum of 32 bytes and
+        # operators are advised to use `SecureRandom.hex(32)` (64 bytes),
+        # so the only information exposed is the token's exact byte length
+        # — not any of its bits. The body of the comparison is constant-time
+        # via `secure_compare` regardless of which byte differs.
+        match = provided.bytesize == configured.bytesize &&
+                ActiveSupport::SecurityUtils.secure_compare(provided, configured)
+        head(:unauthorized) unless match
+      end
+
+      def extract_bearer_token(header)
+        return "" if header.blank?
+        return "" unless header.start_with?("Bearer ", "bearer ")
+
+        # Take the token bytes verbatim. We deliberately do not `.strip` here
+        # because the configured side is compared without stripping — if an
+        # operator misconfigures a token with trailing whitespace, an
+        # asymmetric strip would silently authenticate a shorter token.
+        header[7..].to_s
+      end
+
+      def set_no_store_headers
+        response.headers["Cache-Control"] = "no-store"
+        response.headers["Pragma"] = "no-cache"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+      end
+
+      # Wraps bundle_sources to absorb the "bundle file not present yet" case
+      # so the manifest endpoint can still 200 with an empty hashes list during
+      # the brief window after Rails boots but before assets:precompile has
+      # produced the bundle on this dyno. Returns `[]` rather than raising so
+      # the build-CI side sees "this server has nothing to seed" instead of a
+      # 500 that would otherwise show up as a noisy deploy alert.
+      def safe_current_bundle_sources
+        unless ReactOnRailsPro.configuration.node_renderer?
+          Rails.logger.warn(
+            "[ReactOnRailsPro::RollingDeploy::BundlesController] " \
+            "node_renderer? is false — returning an empty manifest. " \
+            "Verify that the Pro configuration enables the node renderer; " \
+            "the HTTP rolling-deploy adapter only serves bundles when it does."
+          )
+          return []
+        end
+
+        pool = ReactOnRailsPro::ServerRenderingPool::NodeRenderingPool
+        ReactOnRailsPro::RendererCacheHelpers.bundle_sources(pool, "serving rolling-deploy tarball")
+      rescue StandardError => e
+        Rails.logger.warn(
+          "[ReactOnRailsPro::RollingDeploy::BundlesController] " \
+          "bundle source discovery failed: #{e.class}: #{e.message}. " \
+          "Returning empty manifest — verify bundles have been precompiled."
+        )
+        []
+      end
+
+      def serve_bundle_tarball(bundle_path)
+        entries = tarball_entries(bundle_path)
+
+        ReactOnRailsPro::RollingDeploy::Tarball.compose_to_tempfile(entries) do |io|
+          # We've already buffered the tarball to a Tempfile inside
+          # compose_to_tempfile; send_data reads the contents once. For very
+          # large bundles a streaming send via ActionController::Live would
+          # save memory; that's deferred to a follow-up PR — the current
+          # default ceiling (200 MB) fits comfortably in memory on every
+          # Rails app instance we'd expect to deploy.
+          send_data io.read,
+                    type: "application/gzip",
+                    disposition: "inline",
+                    filename: "#{params[:hash]}.tar.gz"
+        end
+      end
+
+      # Pairs the bundle file (renamed to `bundle.js` on the wire) with the
+      # current build's companion assets. Each tarball carries the full
+      # companion set so the receiver can stage a complete cache entry without
+      # a second round-trip — matching the rolling_deploy_adapter contract
+      # that `fetch(hash)` returns bundle + assets together.
+      #
+      # Companions are skipped (with a warning) when they would shadow the
+      # bundle entry, collide with another companion's basename, or carry a
+      # name that the tarball helper would reject during compose. This
+      # matches the publish-side behavior in AssetsPrecompile where missing
+      # or unsafe assets degrade rather than fail the build.
+      def tarball_entries(bundle_path)
+        entries = { BUNDLE_ENTRY_NAME => bundle_path }
+        companion_assets.each do |asset_path|
+          name = File.basename(asset_path)
+          next if skip_companion?(name, asset_path, entries)
+
+          entries[name] = asset_path
+        end
+        entries
+      end
+
+      def skip_companion?(name, asset_path, entries)
+        if name == BUNDLE_ENTRY_NAME
+          warn_companion_skipped(
+            "companion #{asset_path.inspect} basename collides with bundle entry #{BUNDLE_ENTRY_NAME.inspect}"
+          )
+          return true
+        end
+        unless ReactOnRailsPro::RollingDeploy::Tarball::ENTRY_NAME_PATTERN.match?(name)
+          warn_companion_skipped(
+            "companion #{asset_path.inspect} basename #{name.inspect} is not a safe tarball entry name"
+          )
+          return true
+        end
+        if entries.key?(name)
+          warn_companion_skipped(
+            "duplicate companion basename #{name.inspect}; " \
+            "keeping #{entries[name].inspect}, dropping #{asset_path.inspect}"
+          )
+          return true
+        end
+        false
+      end
+
+      def warn_companion_skipped(message)
+        Rails.logger.warn("[ReactOnRailsPro::RollingDeploy::BundlesController] #{message}.")
+      end
+
+      def companion_assets
+        rails_root = File.expand_path(Rails.root.to_s)
+        rails_root_realpath = File.realpath(rails_root)
+
+        # `collect_assets` returns the live build's loadable-stats + RSC
+        # manifests; missing assets are silently dropped to match the
+        # publish-side behavior in AssetsPrecompile.
+        ReactOnRailsPro::RendererCacheHelpers.collect_assets
+                                             .map(&:to_s)
+                                             .reject { |p| ReactOnRailsPro::RendererCacheHelpers.http_url?(p) }
+                                             .filter_map do |path|
+                                               safe_companion_asset_path(path, rails_root, rails_root_realpath)
+                                             end
+      rescue StandardError => e
+        Rails.logger.warn(
+          "[ReactOnRailsPro::RollingDeploy::BundlesController] " \
+          "companion asset discovery failed: #{e.class}: #{e.message}. " \
+          "Serving bundle without companion assets — RSC clients may fall back to runtime 410-retry."
+        )
+        []
+      end
+
+      def safe_companion_asset_path(path, rails_root, rails_root_realpath)
+        expanded = File.expand_path(path, rails_root)
+        return nil unless path_within_root?(expanded, rails_root)
+        return nil unless File.file?(expanded)
+
+        realpath = File.realpath(expanded)
+        return nil unless path_within_root?(realpath, rails_root_realpath)
+
+        expanded
+      end
+
+      def path_within_root?(path, root)
+        path == root || path.start_with?("#{root}#{File::SEPARATOR}")
+      end
+    end
+  end
+end