react_on_rails_pro 17.0.0.rc.0 → 17.0.0.rc.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 318109f164359903fe25daa4f3b63cbd4c6814e0f2cc34d4c91c21bb19ec9590
-  data.tar.gz: b45033f1471e37ee756825b4aa00238229416011efa4054151a58bf942ca9a03
+  metadata.gz: d82436e63c02deff1774b11e01658f6f06a17bca6c583986aea35ac6f8b865de
+  data.tar.gz: e88f6d4495a06792faf61891d8aefe335323dd53461deb612412d5796d8ebe10
 SHA512:
-  metadata.gz: 900bc242f0c60afaa7201215e2d9306f1f41d5a5c2f22fa11c8bbcd0e49c3ed54bdfaa59568ddefea8736e3d2719e42a1bff591e9eb11084bb2b566e72013a15
-  data.tar.gz: e8055b9d34b0255730974669b6b1926924e34e14029d478bb62cc49830bdd0e9bfd261670b43f488bb7781a5c7c137a44208d0a20a81f1c7c97bbeef82662749
+  metadata.gz: 4867d95e20f8e7bb15732ea1d749d34f49e8232a8a16b4d8ce5c2203ada419d2d5815569208b410e3f6f3e01ae7dd842896922e686aae5f49edca13de9dd61f6
+  data.tar.gz: 40720afca29e6f6ef1a527d9674adf81bde008edc6b4da86cafc009e2c2ef6e75b6c338e3f4ff4a4ef9dd7d5924aba3d81b5a313eff195bafc0de2750f361752

data/Gemfile.lock

@@ -9,7 +9,7 @@ GIT
 PATH
   remote: ..
   specs:
-    react_on_rails (17.0.0.rc.0)
+    react_on_rails (17.0.0.rc.1)
       addressable
       connection_pool
       execjs (~> 2.5)
@@ -20,7 +20,7 @@ PATH
 PATH
   remote: .
   specs:
-    react_on_rails_pro (17.0.0.rc.0)
+    react_on_rails_pro (17.0.0.rc.1)
       addressable
       async (>= 2.29)
       async-http (~> 0.95)
@@ -28,7 +28,7 @@ PATH
       io-endpoint (~> 0.17.0)
       jwt (>= 2.5, < 4)
       rainbow
-      react_on_rails (= 17.0.0.rc.0)
+      react_on_rails (= 17.0.0.rc.1)
 
 GEM
   remote: https://rubygems.org/

data/app/controllers/react_on_rails_pro/rolling_deploy/bundles_controller.rb

@@ -13,11 +13,12 @@ module ReactOnRailsPro
     # ReactOnRailsPro::RollingDeployAdapters::Http adapter on the next
     # deploy's build CI consumes both endpoints.
     #
-    # Mount this in your application's routes with `draw_routes` so the Http
-    # adapter on the next deploy can reach it. (Engine auto-mount keyed on
-    # `config.rolling_deploy_adapter` is planned for a follow-up but is not
-    # wired yet, so an explicit mount is currently required.) You can also use
-    # a custom mount path or layer your own auth middleware:
+    # When `config.rolling_deploy_adapter` is the built-in Http adapter, the
+    # Pro engine auto-mounts this controller at
+    # `config.rolling_deploy_mount_path` (default:
+    # `/react_on_rails_pro/rolling_deploy`). Set the mount path to nil or blank
+    # to opt out of the auto-mount. Use `draw_routes` only when you need a
+    # manual mount, such as a secondary path or app-specific routing wrapper:
     #
     #   # config/routes.rb
     #   ReactOnRailsPro::RollingDeploy::BundlesController.draw_routes(
@@ -25,10 +26,11 @@ module ReactOnRailsPro
     #     path: "/internal/rolling-deploy"
     #   )
     #
-    # Callers that mount the controller more than once (for example, a future
-    # engine auto-mount plus a user-controlled secondary path) must pass a
-    # distinct `as_prefix:` per call so Rails' named-route registry doesn't
-    # raise `ArgumentError: Invalid route name, already in use`.
+    # The engine auto-mount uses an internal route-helper prefix so existing
+    # manual mounts that use the default prefix keep booting during upgrades.
+    # Multiple manual mounts still need distinct `as_prefix:` values so Rails'
+    # named-route registry doesn't raise `ArgumentError: Invalid route name,
+    # already in use`.
     #
     # Security:
     #   * Bearer-token auth via `Authorization: Bearer <token>`, constant-time
@@ -56,10 +58,19 @@ module ReactOnRailsPro
       before_action :set_no_store_headers
 
       DEFAULT_ROUTE_PREFIX = "react_on_rails_pro_rolling_deploy"
+      SAFE_HASH_PATTERN = ReactOnRailsPro::RollingDeploy::SAFE_HASH_PATTERN
+      # Rails route requirements reject anchor characters, while the route
+      # matcher applies segment constraints to the full segment. Derived from
+      # SAFE_HASH_PATTERN by stripping the \A/\z anchors; the controller still
+      # performs the anchored defense-in-depth validation before any filesystem
+      # lookup.
+      ROUTE_HASH_PATTERN = Regexp.new(SAFE_HASH_PATTERN.source.delete_prefix("\\A").delete_suffix("\\z"))
 
       class << self
-        # Helper for mounting the controller in your application's routes. A
-        # planned engine auto-mount will reuse these same route definitions.
+        # Helper for manual route mounts. The Pro engine uses these same route
+        # definitions for the default auto-mount when the built-in Http adapter
+        # is configured, with an internal `as_prefix:` to avoid collisions with
+        # existing manual mounts.
         #
         # `as_prefix:` controls the generated named-route helpers
         # (`<prefix>_manifest`, `<prefix>_bundle`). Callers that mount the
@@ -72,7 +83,7 @@ module ReactOnRailsPro
                      as: :"#{as_prefix}_manifest")
           mapper.get("#{path}/bundles/:hash",
                      to: "react_on_rails_pro/rolling_deploy/bundles#show",
-                     constraints: { hash: SAFE_HASH_PATTERN },
+                     constraints: { hash: ROUTE_HASH_PATTERN },
                      as: :"#{as_prefix}_bundle")
         end
       end
@@ -81,8 +92,6 @@ module ReactOnRailsPro
       # path-traversal value through, the controller still rejects it
       # before any disk lookup because the hash must be in the
       # (regex-validated) current-hash set.
-      SAFE_HASH_PATTERN = ReactOnRailsPro::RollingDeploy::SAFE_HASH_PATTERN
-
       # Tarball entry name reserved for the server bundle. Companion assets
       # whose basename collides with this are skipped to keep the receiver
       # from extracting the wrong bytes into the bundle slot.

data/lib/react_on_rails_pro/configuration.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "set"
-
 module ReactOnRailsPro
   def self.configure
     yield(configuration)
@@ -182,6 +180,8 @@ module ReactOnRailsPro
       self.rolling_deploy_adapter = rolling_deploy_adapter
       self.rolling_deploy_token = rolling_deploy_token
       self.rolling_deploy_previous_url = rolling_deploy_previous_url
+      # Constructor nil/blank means "use the default"; configure-block assignment
+      # can still set nil/blank later to opt out of the engine auto-mount.
       self.rolling_deploy_mount_path = rolling_deploy_mount_path.presence || DEFAULT_ROLLING_DEPLOY_MOUNT_PATH
       self.ssr_pre_hook_js = ssr_pre_hook_js
       self.assets_to_copy = assets_to_copy

data/lib/react_on_rails_pro/engine.rb

@@ -7,13 +7,30 @@ module ReactOnRailsPro
     LICENSE_URL = "https://pro.reactonrails.com/"
     # TODO: Remove this legacy migration warning path after 16.5.0 stable release (target: 2026-05-31).
     LEGACY_LICENSE_FILE = "config/react_on_rails_pro_license.key"
+    ROLLING_DEPLOY_AUTO_ROUTE_PREFIX = "react_on_rails_pro_auto_rolling_deploy"
     private_constant :LICENSE_URL
     private_constant :LEGACY_LICENSE_FILE
+    private_constant :ROLLING_DEPLOY_AUTO_ROUTE_PREFIX
 
     initializer "react_on_rails_pro.routes" do
       ActionDispatch::Routing::Mapper.include ReactOnRailsPro::Routes
     end
 
+    initializer "react_on_rails_pro.rolling_deploy_routes" do |app|
+      app.routes.prepend do
+        pro_config = ReactOnRailsPro.configuration
+        mount_path = pro_config.rolling_deploy_mount_path
+
+        if pro_config.rolling_deploy_http_adapter? && mount_path.present?
+          ReactOnRailsPro::RollingDeploy::BundlesController.draw_routes(
+            self,
+            path: mount_path,
+            as_prefix: ROLLING_DEPLOY_AUTO_ROUTE_PREFIX
+          )
+        end
+      end
+    end
+
     # Check license status on Rails startup and log appropriately
     # App continues running regardless of license status
     initializer "react_on_rails_pro.check_license" do

data/lib/react_on_rails_pro/renderer_cache_helpers.rb

@@ -3,7 +3,6 @@
 require "fileutils"
 require "securerandom"
 require "pathname"
-require "set"
 
 require "react_on_rails_pro/error"
 

data/lib/react_on_rails_pro/rolling_deploy_adapters/http.rb

@@ -4,6 +4,7 @@ require "fileutils"
 require "json"
 require "net/http"
 require "openssl"
+require "tempfile"
 require "uri"
 
 require "react_on_rails_pro/error"
@@ -32,6 +33,7 @@ module ReactOnRailsPro
     # Error contract matches the rolling_deploy_adapter protocol: every
     # exception is caught and reported as a warning so a failed seed degrades
     # to the runtime 410-retry fallback rather than failing the build.
+    # rubocop:disable Metrics/ClassLength
     class Http
       # Per-request HTTP timeouts. The outer Timeout.timeout in
       # RollingDeployCacheStager bounds the total wall-clock budget (10s for
@@ -49,6 +51,12 @@ module ReactOnRailsPro
       # exhaust disk via a zip-bomb-style response.
       DEFAULT_MAX_SIZE = ReactOnRailsPro::RollingDeploy::Tarball::DEFAULT_MAX_SIZE
 
+      # Maximum compressed bytes accepted from /bundles/:hash before extract
+      # enforces DEFAULT_MAX_SIZE on the uncompressed tarball contents.
+      # Set near 1/4 of DEFAULT_MAX_SIZE: JS bundles typically decompress 3-5x,
+      # so a 50 MB wire payload that decompresses beyond 200 MB is anomalous.
+      COMPRESSED_BODY_CAP = 50 * 1024 * 1024
+
       LOG_PREFIX = "[ReactOnRailsPro::RollingDeployAdapters::Http]"
 
       # Wire-format constant: must stay in sync with
@@ -101,10 +109,13 @@ module ReactOnRailsPro
 
           dir = bundle_dir(bundle_hash)
           FileUtils.mkdir_p(dir)
-          tarball_body = download_bundle_tarball(base, bundle_hash)
-          return cleanup_and_return(dir, nil) if tarball_body.nil?
 
-          extract_payload(tarball_body, dir, bundle_hash)
+          result = download_bundle_tarball(base, bundle_hash) do |tarball|
+            extract_payload(tarball, dir, bundle_hash)
+          end
+          return cleanup_and_return(dir, nil) if result.nil?
+
+          result
         rescue StandardError => e
           cleanup_and_return(dir, nil) if dir
           warn_and_return("fetch(#{bundle_hash.inspect}) failed: #{e.class}: #{e.message}", nil)
@@ -168,26 +179,77 @@ module ReactOnRailsPro
         end
 
         def download_bundle_tarball(base, bundle_hash)
-          response = http_get(URI("#{base}/bundles/#{bundle_hash}"))
-          unless response.is_a?(Net::HTTPSuccess)
-            Rails.logger.warn(
-              "#{LOG_PREFIX} bundles/#{bundle_hash} returned HTTP #{response.code}; skipping this hash."
-            )
-            return nil
+          Tempfile.create(["rolling-deploy-download-", ".tar.gz"]) do |tmp|
+            tmp.binmode
+            response = http_stream(URI("#{base}/bundles/#{bundle_hash}")) do |streaming_response|
+              unless streaming_response.is_a?(Net::HTTPSuccess)
+                Rails.logger.warn(
+                  "#{LOG_PREFIX} bundles/#{bundle_hash} returned HTTP #{streaming_response.code}; skipping this hash."
+                )
+                # Drain the error body (capped) so Net::HTTP can finish the
+                # response cleanly. If the body itself exceeds the cap,
+                # `drain_response_body` raises and `fetch`'s rescue logs a second
+                # "fetch(...) failed" warning alongside the "skipping this hash"
+                # line above. Both lines are expected for an oversized error
+                # body — the pair signals "non-2xx, and the body was too large
+                # to drain," not a separate failure.
+                drain_response_body(streaming_response)
+                next
+              end
+
+              stream_response_body(streaming_response, tmp)
+            end
+            # Non-local return: exits `download_bundle_tarball`; Tempfile.create's
+            # ensure block still unlinks `tmp` before the method returns.
+            return nil unless response.is_a?(Net::HTTPSuccess)
+
+            tmp.flush
+            tmp.rewind
+            yield tmp
           end
-          # `response.body` buffers the full compressed tarball into a single
-          # Ruby String before `Tarball.extract` can enforce DEFAULT_MAX_SIZE on
-          # uncompressed bytes. For v1 this is acceptable: build CI fetches are
-          # infrequent, the 200 MB uncompressed ceiling fits in heap, and the
-          # read timeout bounds slow responses. A future follow-up should stream
-          # the body into a Tempfile with its own compressed-byte cap (mirroring
-          # the controller's `compose_to_tempfile`) so an oversized wire payload
-          # cannot fill build-CI heap before extraction aborts.
-          response.body
         end
 
-        def extract_payload(tarball_body, dir, bundle_hash)
-          ReactOnRailsPro::RollingDeploy::Tarball.extract(tarball_body, dir, max_size: DEFAULT_MAX_SIZE)
+        def stream_response_body(response, io)
+          each_capped_body_chunk(response, context: "bundle body") { |chunk| io.write(chunk) }
+        end
+
+        # Reads and discards a non-success body solely to enforce the
+        # compressed-byte cap. No block is passed, so `each_capped_body_chunk`
+        # counts bytes without writing them anywhere.
+        def drain_response_body(response)
+          each_capped_body_chunk(response, context: "non-success response body")
+        end
+
+        def each_capped_body_chunk(response, context:)
+          bytes = 0
+          response.read_body do |chunk|
+            bytes += chunk.bytesize
+            # Strictly greater-than (`>`, not `>=`): exactly COMPRESSED_BODY_CAP
+            # bytes are allowed through, so the cap is an exclusive ceiling. The
+            # raise fires before `yield chunk`, so the offending chunk is counted
+            # but never written/drained — the Tempfile never sees more than
+            # COMPRESSED_BODY_CAP bytes.
+            if bytes > COMPRESSED_BODY_CAP
+              raise ReactOnRailsPro::Error,
+                    "#{context} exceeded compressed body cap " \
+                    "(#{compressed_body_cap_label}); aborting download"
+            end
+            yield chunk if block_given?
+          end
+        end
+
+        # Dynamic (not a constant) so specs that `stub_const` the cap to a small
+        # value still see the stubbed value reflected in the warning message.
+        def compressed_body_cap_label
+          megabyte_bytes = 1024 * 1024
+          megabytes = COMPRESSED_BODY_CAP / megabyte_bytes
+          return "#{megabytes} MB" if megabytes.positive? && megabytes * megabyte_bytes == COMPRESSED_BODY_CAP
+
+          "#{COMPRESSED_BODY_CAP} bytes"
+        end
+
+        def extract_payload(tarball_source, dir, bundle_hash)
+          ReactOnRailsPro::RollingDeploy::Tarball.extract(tarball_source, dir, max_size: DEFAULT_MAX_SIZE)
           bundle_path = File.join(dir, BUNDLE_ENTRY_NAME)
           unless File.file?(bundle_path)
             return cleanup_and_return(
@@ -225,18 +287,29 @@ module ReactOnRailsPro
         # connection pooling would force us to manage lifecycle / cleanup
         # across threads.
         def http_get(uri, read_timeout: DEFAULT_READ_TIMEOUT_SECONDS)
+          http_for(uri, read_timeout: read_timeout).request(build_request(uri))
+        end
+
+        def http_stream(uri, read_timeout: DEFAULT_READ_TIMEOUT_SECONDS, &block)
+          http_for(uri, read_timeout: read_timeout).request(build_request(uri), &block)
+        end
+
+        def build_request(uri)
           request = Net::HTTP::Get.new(uri.request_uri)
           token = configured_token
           request["Authorization"] = "Bearer #{token}" unless token.empty?
           request["Accept-Encoding"] = "identity" # tarball is already gzipped; don't double-compress
+          request
+        end
 
+        def http_for(uri, read_timeout:)
           http = Net::HTTP.new(uri.host, uri.port)
           http.use_ssl = (uri.scheme == "https")
           warn_plain_http_token(uri) unless http.use_ssl?
           http.verify_mode = OpenSSL::SSL::VERIFY_PEER if http.use_ssl?
           http.open_timeout = DEFAULT_OPEN_TIMEOUT_SECONDS
           http.read_timeout = read_timeout
-          http.request(request)
+          http
         end
 
         # Plain-HTTP guardrail. The full HTTPS-only guard lands in PR 2; until
@@ -260,5 +333,6 @@ module ReactOnRailsPro
         end
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/react_on_rails_pro/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module ReactOnRailsPro
-  VERSION = "17.0.0.rc.0"
+  VERSION = "17.0.0.rc.1"
   PROTOCOL_VERSION = "2.0.0"
 end

data/react_on_rails_pro.gemspec

@@ -34,7 +34,7 @@ Gem::Specification.new do |s|
   s.executables   = s.files.grep(%r{^exe/}) { |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.required_ruby_version = ">= 3.3"
+  s.required_ruby_version = ">= 3.3.0"
 
   s.add_runtime_dependency "addressable"
   s.add_runtime_dependency "async", ">= 2.29"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: react_on_rails_pro
 version: !ruby/object:Gem::Version
-  version: 17.0.0.rc.0
+  version: 17.0.0.rc.1
 platform: ruby
 authors:
 - Justin Gordon
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-05-30 00:00:00.000000000 Z
+date: 2026-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -120,14 +120,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.0.0.rc.0
+        version: 17.0.0.rc.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 17.0.0.rc.0
+        version: 17.0.0.rc.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -311,7 +311,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.3'
+      version: 3.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="