feat: rolling_deploy_adapter for seeding previous bundle hashes

[justin808]

Summary

Adds a pluggable config.rolling_deploy_adapter protocol that eliminates 410→retry cold-start round-trips for previously-deployed bundle hashes during rolling deploys — complementing the current-hash seeding already handled by PRs #3124 + #3167.

Stacked on #3167 (PR B). Target base is `jg/3122-unify-renderer-cache-staging`; will rebase onto `master` once PRs A + B merge. Refs #3122. Design doc previously shared: see earlier session context.

Why

PR A seeded the current hash. PR B unified copy/symlink staging. But during a rolling deploy:

• Old Rails instances (hash `abc`) still drain traffic.
• New Rails instances (hash `def`) serve new traffic.
• New renderer instances receive requests for both hashes.

Pre-seeding only the current hash leaves `abc` cold on new renderers → every draining-version request hits the 410 retry path. This PR closes that gap.

Protocol

module MyRollingDeployAdapter
  def self.previous_bundle_hashes   # Array<String>
  def self.fetch(bundle_hash)        # Hash(:bundle, :assets) | nil
  def self.upload(bundle_hash, bundle:, assets:)
end

ReactOnRailsPro.configure do |config|
  config.rolling_deploy_adapter = MyRollingDeployAdapter
end

Parallel in shape to `remote_bundle_cache_adapter` — same duck-typed module pattern, same validation at configure time.

The loadable-stats wrinkle

Each bundle hash must carry its own companion `loadable-stats.json` and RSC manifests (built in lockstep with that bundle). Otherwise the renderer emits HTML referencing chunk URLs for the wrong build → client-side hydration breakage. The `fetch` signature returns bundle + assets together to force callers to think about this; see `docs/pro/rolling-deploy-adapters.md` for the full discussion.

Integration points

1. `PreSeedRendererCache.call` (from PR B) now invokes `RollingDeployCacheStager` after staging the current hash(es). Deduplicates against current hashes.
2. `AssetsPrecompile.call` auto-invokes `adapter.upload(current_hash, ...)` after precompile in production-like environments, closing the publish side so the next deploy can fetch.
3. `PREVIOUS_BUNDLE_HASHES` env var (comma-separated) overrides `previous_bundle_hashes` discovery for CI / testing.

Error handling — degrades gracefully

Runtime 410-retry remains the fallback for any seeding failure, so rolling-deploy seeding can never cause a correctness regression:

Scenario	Behavior
Adapter not configured	No-op.
`previous_bundle_hashes` raises	Warn, skip previous-hash seeding.
`fetch` returns nil or raises	Warn, skip that hash.
`upload` raises in precompile	Warn, don't fail precompile.
Returned hash matches current	Deduped.

Doctor (`react_on_rails:doctor`) probes

• ✅ Protocol conformance (all three required methods).
• ✅ `previous_bundle_hashes` probe with 10s timeout — reports latency and count.
• ⚠️ Empty list ("upload side has never run on a prior deploy").
• ℹ️ Resolved renderer cache dir + bundle-hash subdirs present.
• ℹ️ `PREVIOUS_BUNDLE_HASHES` env set without an adapter.

Doctor never calls `fetch` or `upload` — those have side effects.

Docs

• New: `docs/pro/rolling-deploy-adapters.md` — protocol spec, three reference implementations (S3, Control Plane, Filesystem), loadable-stats wrinkle discussion, relationship to `remote_bundle_cache_adapter`.
• `docs/pro/node-renderer.md` rolling-deploys section updated to point at the new page.
• Sidebar entry added.

Test plan

• 7 new specs for `RollingDeployCacheStager` covering every invocation path: adapter unset, hash list discovery, env override, copy mode, symlink mode, fetch nil, fetch raises, previous_bundle_hashes raises, missing :server_bundle in payload, dedup vs current.
• 5 new doctor specs for `check_rolling_deploy_adapter`.
• Existing Pro specs updated where `instance_double(Configuration, ...)` needed the new accessor.
• 36 Pro specs pass locally (27 from PR B + 9 new).
• 168 doctor specs pass locally (1 pre-existing unrelated failure in `auto_fix_versions`).
• `bundle exec rubocop` clean on all changed files.
• CI (will verify after push).

Relationship to other adapters

	`remote_bundle_cache_adapter`	`rolling_deploy_adapter`
Scope	Webpack build outputs (pre-compile caching)	Deployed bundle hashes (rolling deploy)
When	Build phase	Post-precompile + pre-seed phase
Avoids	Rebuilding webpack when source hasn't changed	410 retries for draining-version requests
Keyed by	Source digest	Bundle hash

Complementary — configure both if useful.

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches Pro deploy-time asset publication and renderer-cache staging paths (assets:precompile and PreSeedRendererCache), which can impact production deploy behavior if misconfigured. Changes are largely additive and guarded with timeouts/warnings, but involve filesystem operations and external adapter calls.

Overview
Introduces a new Pro config.rolling_deploy_adapter protocol (previous_bundle_hashes, fetch, upload) to seed prior bundle hashes into the Node Renderer cache during PreSeedRendererCache, with PREVIOUS_BUNDLE_HASHES available as a discovery override.

Hooks assets:precompile to publish the current server/RSC bundle hashes + companion assets via the adapter (best-effort with per-hash timeouts and warnings), and extends react_on_rails:doctor to validate/probe the adapter (including cache-dir reporting and env-var misuse warnings).

Unifies cache staging helpers and updates staging to auto-include loadable-stats.json when present, adds extensive specs for the stager/doctor/config validation, and documents the protocol with new docs/pro/rolling-deploy-adapters.md plus sidebar/node-renderer doc updates (plus a minor lychee exclude tweak).

^{Reviewed by Cursor Bugbot for commit ca729db. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• New Features

  • Rolling-deploy adapter to pre-seed renderer caches and optionally publish bundles during assets precompile.
  • Automatic inclusion/staging of loadable-stats.json companion assets when present.

• Configuration

  • New rolling_deploy_adapter option with validation of the adapter’s required interface.

• Documentation

  • Comprehensive rolling-deploy adapter docs, examples, and expanded Node Renderer rolling-deploy guidance; sidebar entry added.

• Improved Diagnostics

  • Doctor now reports rolling-deploy adapter status, discovery, and warnings.

• Tests

  • Extensive spec coverage for rolling-deploy, pre-seed, publishing, and configuration validation.

• Chores

  • CI link-checker exclusion added for an intermittently failing GitHub URL.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Implements a rolling-deploy adapter protocol and tooling to pre-seed Node renderer caches: adds adapter configuration and validation, RendererCacheHelpers updates, a RollingDeployCacheStager to fetch/stage previous bundle hashes, publishing hooks in assets precompile, doctor diagnostics, docs, and comprehensive specs.

Changes

Rolling Deploy Adapter & Cache Seeding Implementation

Layer / File(s)	Summary
Adapter configuration & top-level require react_on_rails_pro/lib/react_on_rails_pro/configuration.rb, react_on_rails_pro/lib/react_on_rails_pro.rb	Adds rolling_deploy_adapter config with default and validation; enforces required class methods and upload signature shapes; requires the stager module at load time.
RendererCacheHelpers & PreSeed integration react_on_rails_pro/lib/react_on_rails_pro/renderer_cache_helpers.rb, react_on_rails_pro/lib/react_on_rails_pro/pre_seed_renderer_cache.rb	Adds LOADABLE_STATS_ASSET_NAME, collect_assets, loadable_stats_asset_path, symlink/copy staging helpers; PreSeedRendererCache delegates staging, collects staged hashes, and invokes RollingDeployCacheStager after loop.
Rolling Deploy Cache Stager react_on_rails_pro/lib/react_on_rails_pro/rolling_deploy_cache_stager.rb	New RollingDeployCacheStager.call(cache_dir:, current_hashes:, mode:) resolves previous hashes (env or adapter), sanitizes/deduplicates, fetches payloads with timeouts, validates bundle+assets and required RSC companion basenames, stages into temp dirs, promotes atomically with backup/restore and concurrency checks, and sweeps stale temp directories.
Bundle Publishing react_on_rails_pro/lib/react_on_rails_pro/assets_precompile.rb	Adds publish_current_bundle_if_configured to publish current server and RSC bundles to configured adapter after pre-seed; builds companion-asset list, filters/expands assets, warns on missing required RSC companions, enforces per-upload timeout, and treats upload failures as warnings.
Doctor diagnostics react_on_rails/lib/react_on_rails/doctor.rb	Adds check_rolling_deploy_adapter to validate adapter protocol, probe previous_bundle_hashes with timeout, handle PREVIOUS_BUNDLE_HASHES env override, and report resolved cache dir bundle counts while excluding staging/previous temp dirs; adds related constants.
Docs & changelog & sidebar & Lychee docs/pro/rolling-deploy-adapters.md, docs/pro/node-renderer.md, CHANGELOG.md, docs/sidebars.ts, .lychee.toml	New rolling-deploy adapters doc, node-renderer updates, CHANGELOG entries, sidebar entry addition, and a Lychee exclusion for flaky https://github.com/K4sku.
Specs: stager react_on_rails_pro/spec/dummy/spec/rolling_deploy_cache_stager_spec.rb	Comprehensive spec for RollingDeployCacheStager covering discovery, fetch, staging, promotion, concurrency, cleanup, and RSC-required asset handling.
Specs: assets/config/renderer helpers/doctor various spec/ files	Adds/updates specs for AssetsPrecompile publication behavior, Configuration rolling_deploy_adapter validation, RendererCacheHelpers.collect_assets, PreSeed/PrepareNodeRenderBundles test doubles, and Doctor checks; many test configs include rolling_deploy_adapter: nil.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• shakacode/react_on_rails#3124: Directly related — modifies Node renderer cache staging/pre-seeding flow and related tooling.

Poem

🐰 I hop through bundles, old and new,

seeding hashes, staging true;
symlinks threaded, temps swept bright,
adapters fetch through day and night.
Zero-downtime rolls in sight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main feature introduced in the PR: adding a rolling_deploy_adapter mechanism for seeding previous bundle hashes into the renderer cache during rolling deploys.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg/3122-rolling-deploy-adapter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9cd1657f83

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR introduces RollingDeployCacheStager, a pluggable rolling_deploy_adapter protocol, and auto-upload in AssetsPrecompile to eliminate 410→retry cold-start round-trips for previous bundle hashes during rolling deploys. The overall design — duck-typed adapter module, graceful degradation, doctor probes, and deduplication against current hashes — is solid.

• P1: In RollingDeployCacheStager.call the early-return guard (return if adapter.nil? && ENV[\"PREVIOUS_BUNDLE_HASHES\"].to_s.empty?) lets the code proceed when PREVIOUS_BUNDLE_HASHES is set but adapter is nil. fetch_payload(nil, hash) then raises NoMethodError: undefined method 'fetch' for nil, rescued with a confusing message. The companion doctor check compounds this by reporting "env override will be used" — misleading operators into thinking the env var is standalone. The fix is to change the guard to return if adapter.nil?.
• P2: stage_file in :symlink mode creates absolute symlinks (File.symlink(File.expand_path(src), dest)), while PreSeedRendererCache#make_relative_symlink creates relative ones — the inconsistency could break if the cache dir is ever bind-mounted at a different path.

Confidence Score: 4/5

Safe to merge after addressing the nil-adapter + PREVIOUS_BUNDLE_HASHES early-return bug; remaining findings are style/test-coverage.

One P1 defect: the early-return guard allows a nil-adapter path that silently fails with NoMethodError and produces a misleading doctor message. This affects any operator who sets PREVIOUS_BUNDLE_HASHES without an adapter, and it is untested. The P2 absolute-symlink inconsistency is low-risk for typical same-filesystem deploys. All other pieces — configuration validation, graceful degradation, doctor probes, deduplication logic — are well-implemented and tested.

react_on_rails_pro/lib/react_on_rails_pro/rolling_deploy_cache_stager.rb (early-return guard + symlink mode), react_on_rails/lib/react_on_rails/doctor.rb (misleading 'env override will be used' message)

Important Files Changed

Filename	Overview
react_on_rails_pro/lib/react_on_rails_pro/rolling_deploy_cache_stager.rb	New module for seeding previous bundle hashes; has two issues: early-return guard allows nil-adapter + env-set path that silently fails with NoMethodError, and symlink mode creates absolute rather than relative symlinks unlike PreSeedRendererCache.
react_on_rails_pro/lib/react_on_rails_pro/configuration.rb	Adds rolling_deploy_adapter accessor and DEFAULT/validate_rolling_deploy_adapter; validation correctly requires Module with all three methods.
react_on_rails_pro/lib/react_on_rails_pro/assets_precompile.rb	Adds publish_current_bundle_if_configured to upload the just-built bundle after precompile; error handling is correct but missing node_renderer? guard before calling NodeRenderingPool.server_bundle_hash.
react_on_rails/lib/react_on_rails/doctor.rb	Adds check_rolling_deploy_adapter probe with protocol conformance check, previous_bundle_hashes latency probe, and cache-dir resolution; doctor message for nil-adapter + env-set case is misleading ("env override will be used") when fetch will actually fail.
react_on_rails_pro/spec/dummy/spec/rolling_deploy_cache_stager_spec.rb	7 specs covering adapter-unset, fetch nil/raises, previous_bundle_hashes raises, missing server_bundle, dedup, copy and symlink modes; missing coverage for PREVIOUS_BUNDLE_HASHES with nil adapter.
react_on_rails_pro/spec/dummy/spec/pre_seed_renderer_cache_spec.rb	Correctly updated to include rolling_deploy_adapter: nil in instance_double stubs; all existing paths covered.
react_on_rails/spec/lib/react_on_rails/doctor_spec.rb	5 new doctor specs for rolling_deploy_adapter check covering nil adapter, env override, protocol success/missing, and empty hash list; comprehensive for the happy paths.
react_on_rails_pro/lib/react_on_rails_pro.rb	Adds require for rolling_deploy_cache_stager; load order is correct (before pre_seed_renderer_cache which depends on it).
react_on_rails_pro/spec/dummy/spec/prepare_node_renderer_bundles_spec.rb	Updated to include rolling_deploy_adapter: nil in instance_double; no functional changes to the spec logic.

Sequence Diagram

sequenceDiagram
    participant AP as AssetsPrecompile.call
    participant PS as PreSeedRendererCache.call
    participant RD as RollingDeployCacheStager.call
    participant DA as rolling_deploy_adapter

    AP->>PS: call(mode: :symlink)
    PS->>PS: stage current bundle hashes
    PS->>RD: call(cache_dir:, current_hashes:, mode:)
    alt adapter nil AND env empty
        RD-->>PS: return (no-op)
    else adapter present OR PREVIOUS_BUNDLE_HASHES set
        RD->>DA: previous_bundle_hashes() [or ENV override]
        DA-->>RD: ["abc", "def", ...]
        RD->>RD: deduplicate against current_hashes
        loop each previous hash
            RD->>DA: fetch(hash)
            DA-->>RD: {server_bundle:, rsc_bundle:, assets:} or nil
            RD->>RD: stage_file(src, dest, mode)
        end
    end
    AP->>AP: publish_current_bundle_if_configured
    AP->>DA: upload(current_hash, server_bundle:, rsc_bundle:, assets:)

Loading

_{Reviews (1): Last reviewed commit: "feat: add rolling_deploy_adapter for see..." | Re-trigger Greptile}

[claude]

Code Review

This is a well-structured PR with good overall design — the adapter protocol is clear, error handling degrades gracefully at every layer, test coverage is solid, and the docs are thorough. A few issues worth addressing before merge:

Bugs

1. nil adapter + PREVIOUS_BUNDLE_HASHES env var causes a confusing NoMethodError
When PREVIOUS_BUNDLE_HASHES is set but rolling_deploy_adapter is nil, the guard at RollingDeployCacheStager#call passes (nil adapter, non-empty env). resolve_previous_hashes correctly returns the env hashes via the explicit.any? branch, but then fetch_payload(adapter, hash) calls nil.fetch(hash) → NoMethodError. The rescue in seed_previous_hash catches it, so it degrades silently, but the warning message will read "NoMethodError" rather than anything actionable. Worse, the doctor check says "env override will be used" — implying standalone operation is supported.

Fix: add an explicit guard after hash resolution when adapter is nil, or document that PREVIOUS_BUNDLE_HASHES always requires a configured adapter for the fetch step. See inline comment at rolling_deploy_cache_stager.rb:65.

Security

2. Shell injection in ControlPlane reference implementation
previous_bundle_hashes uses backtick interpolation with WORKLOAD and GVC, and fetch passes an image string (derived from GVC + hash) to system(string). If any of these contain shell metacharacters, this is command injection. Use the array form of system and Open3.capture2e with argument arrays instead. See inline comment at rolling-deploy-adapters.md:240.

Correctness / Reliability

3. ENV.fetch at class-load time in reference implementations
BUCKET = ENV.fetch("ROLLING_DEPLOY_BUCKET") (S3) and GVC/WORKLOAD (ControlPlane) are evaluated when the file is required. Any environment where these vars aren't set raises KeyError on load. Use lazy def self.bucket = ENV.fetch(...) accessors instead. See inline comment at rolling-deploy-adapters.md:163.

4. No timeout on adapter.fetch during seeding
adapter.fetch(hash) has no timeout guard — only the doctor probe has a 3s timeout. A hung external store will block pre_seed_renderer_cache (and assets:precompile) indefinitely. Consider wrapping with Timeout.timeout. See inline comment at rolling_deploy_cache_stager.rb:98.

5. Race condition in S3 update_manifest!
update_manifest! is a read-modify-write with no concurrency guard. Concurrent deploys silently lose entries (last writer wins). At minimum document this; optionally use a conditional PUT with if_match: etag. See inline comment at rolling-deploy-adapters.md:218.

Style / Idioms

6. methods.include? vs respond_to?
Both validate_rolling_deploy_adapter and report_adapter_protocol use adapter.methods.include?(m). respond_to? is idiomatic for duck-typing checks and handles method_missing-based delegation. Note the existing validate_remote_bundle_cache_adapter uses the same pattern — if there's a reason, it's worth a comment. See inline comment at configuration.rb:266.

7. module_function + private_class_method vs class << self
RollingDeployCacheStager uses module_function then private_class_method. This also installs private instance method copies on any includer — almost certainly unintended. class << self with private is cleaner and matches PreSeedRendererCache. See inline comment at rolling_deploy_cache_stager.rb:63.

Minor

• publish_current_bundle_if_configured uses puts for success and warn for errors — inconsistent; consider warn or Rails.logger throughout so success messages aren't swallowed in background processes.
• The check_rolling_deploy_adapter spec doesn't cover the 3s timeout path; a test with a stubbed slow previous_bundle_hashes would close that gap.

🤖 Generated with Claude Code

[justin808]

Addressed review feedback in 2e9b3f8

MUST-FIX (2):

1. Nil adapter + `PREVIOUS_BUNDLE_HASHES` crash (greptile P1, claude) — when the env override was set without a configured adapter, the guard let execution proceed and `adapter.fetch(hash)` crashed on `nil`. Now warns and returns early. Doctor promotes the corresponding message from `:info` to `:warning` and explains that both env and adapter are required.

2. RSC previous-bundle staging path (codex P2) — the renderer routes RSC requests by `rsc_bundle_hash`, which is a separate `//.js` entry from the server bundle. The original protocol merged both bundles under one hash's directory using basenames, so the RSC bundle never landed where the renderer looks. Protocol refactor:

   • `fetch(hash)` → `{ bundle: path, assets: [paths] }` (opaque per-hash).
   • `upload(hash, bundle:, assets:)`.
   • `previous_bundle_hashes` returns a flat list including both server and RSC hashes.

   `AssetsPrecompile.publish_current_bundle_if_configured` now calls `upload` twice when RSC is enabled (once per hash). Stager stages each hash at `//.js`.

SHOULD-FIX (4):

3. `Timeout.timeout` on `adapter.fetch` (claude) — 30s default. Prevents a hung S3 / network call from blocking pre-seeding or `assets:precompile`.
4. Relative symlinks (greptile P2) — `stage_file` in `:symlink` mode now uses the same `Pathname#realpath` + `relative_path_from` pattern as `PreSeedRendererCache.make_relative_symlink`.
5. Remove stray `module_function` (claude) — was leaking private instance methods to any `include`r. All methods now `def self.`; private helpers marked `private_class_method`.
6. `respond_to?` instead of `methods.include?` (claude) — applied to both `Configuration.validate_rolling_deploy_adapter` and `Doctor.report_adapter_protocol`.

DOC POLISH (3):

7. Control Plane example — migrated from backtick/`system` shell interpolation to `Open3.capture2e` with array-form args. `previous_bundle_hashes` now returns both `REACT_ON_RAILS_BUNDLE_HASH` and `REACT_ON_RAILS_RSC_BUNDLE_HASH` so RSC deploys seed correctly.
8. Lazy env-var accessors — S3 and Control Plane examples now read env vars inside methods rather than at class-load time, so `KeyError` can't fire on `require` in environments that don't configure the adapter.
9. S3 race condition note — explicit callout that `update_manifest!` is read-modify-write; documents serialized deploys or `If-Match`/ETag as strict-safety alternatives.

Tests: 13 rolling-deploy specs (was 7) — adds nil-adapter+env warning, fetch timeout, relative-symlink assertion. Doctor spec updated for the warn-vs-info change. 38 Pro specs pass, 167/168 doctor specs pass (1 pre-existing unrelated failure in `auto_fix_versions`, unchanged).

I (Claude Code) addressed the feedback on behalf of @justin808.

[claude]

Code Review — PR #3173: rolling_deploy_adapter protocol

Overall this is a well-designed addition. The duck-typed protocol mirrors remote_bundle_cache_adapter, the error-handling table is thorough, the doctor probes are appropriately scoped (no fetch/upload side-effects), and the 7 stager specs cover all the edge cases cleanly. A few issues worth addressing before merge:

---

Bugs / correctness

1. publish_current_bundle_if_configured is missing a node_renderer? guard (inline comment on assets_precompile.rb:83)

NodeRenderingPool.server_bundle_hash is referenced unconditionally. If a user configures rolling_deploy_adapter while still using ExecJS this will raise at precompile time. The sibling call to PreSeedRendererCache.call already has a node_renderer? guard — publish_current_bundle_if_configured should too.

2. Path traversal via PREVIOUS_BUNDLE_HASHES (inline comment on rolling_deploy_cache_stager.rb:62)

Env-var values flow directly into File.join(cache_dir, hash) without any sanitisation. A value like ../../../tmp/evil escapes the cache directory. Adapter-returned hashes come from your own code and are presumably safe; the env-var path is not. A simple allowlist regex (/\A[A-Za-z0-9_\-]+\z/) covers all realistic hash formats.

---

Missing test coverage

publish_current_bundle_if_configured (new in assets_precompile.rb) has zero specs. This is the hot path during every production assets:precompile — it calls the adapter, calls NodeRenderingPool class methods, and has branching for RSC. At minimum, add specs for: adapter nil → no-op; development env → no-op; upload succeeds; upload raises → warns but doesn't propagate; RSC enabled → uploads twice.

---

Reference implementation issues (inline comments on rolling-deploy-adapters.md)

3. ControlPlane adapter: Dir[File.join(tmp, "*.json")] is too broad (line 236)
An image pull may deposit lock files or other JSON alongside the manifests. The S3 adapter explicitly names loadable-stats.json, react-client-manifest.json, react-server-client-manifest.json — the Control Plane adapter should do the same.

4. S3 adapter: @s3 ||= is not thread-safe (line 162)
Under concurrent callers two threads can each instantiate an Aws::S3::Client. Wrapping with a Mutex (or simply not memoizing, given the call frequency) fixes this.

5. update_manifest! stores RETENTION + 2 but previous_bundle_hashes returns RETENTION (line 187)
This is likely intentional (soft buffer) but undocumented, making the code confusing. A one-line comment explaining the intent would help.

---

Minor observations (not blocking)

• FilesystemRollingDeployAdapter#fetch returns dir.join("bundle.js").to_s without checking File.exist?. The stager's fetch_payload handles this, but it silently violates the contract the protocol doc sets out (returning a non-nil payload that fails the existence check). Consider checking existence before returning or returning nil.
• The Dir[dir.join("*.json")] in FilesystemRollingDeployAdapter#fetch passes a Pathname to Dir[]. Ruby calls to_s on it so it works, but dir.join("*.json").to_s is more explicit about intent.
• validate_rolling_deploy_adapter in configuration.rb is not directly unit-tested. The doctor specs exercise a similar check but not the configuration-time validation path.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2e9b3f8e58

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[justin808]

Addressed post-revision review feedback in fb3de1b

Seven new actionable items since `2e9b3f8e5` — all fixed. None skipped.

Security / correctness:

1. Path traversal via `PREVIOUS_BUNDLE_HASHES` (claude) — hash values are used as directory names. Now reject anything not matching `/\A[A-Za-z0-9_\-.]+\z/` with a warning. Spec asserts `../../../etc` is rejected while safe hashes continue through.
2. `node_renderer?` guard in `publish_current_bundle_if_configured` (claude) — skip publication under ExecJS renderer. Without this, `NodeRenderingPool.server_bundle_hash` would crash precompile.
3. Top-level rescue in publish method (cursor Medium) — `collect_assets` / `server_bundle_hash` / `rsc_bundle_js_file_path` can raise from the setup code. Wrapped the whole publication path with `rescue StandardError` so failures degrade next-deploy seeding but don't fail this deploy's `assets:precompile`.
4. Partial-staging cleanup on asset failure (codex P1) — previously a failed asset copy after a successful bundle copy would leave the cache with a bundle without its companion manifests. Renderer would serve it, producing hydration failures instead of the clean 410-retry fallback. Now `rm_rf` the hash directory on any failure inside `seed_previous_hash`. Spec asserts the bundle dir is gone after a mid-stage failure.

Docs:

3. Control Plane fetch allowlist (claude) — replaced `Dir[tmp/*.json]` with explicit `loadable-stats.json` + RSC manifest allowlist. Stray image-layer JSON won't be picked up.
4. S3 client mutex (claude) — `@s3 ||=` is not thread-safe under concurrent callers. Example now uses `Mutex.synchronize` memoization with a doc comment.
5. S3 RETENTION alignment (claude) — both read and write now trim to `RETENTION`; dropped the `+2` asymmetry. Added comment explaining the intent for users who want a soft buffer.

Tests: 40 specs pass (was 38; +2 for path-traversal reject + partial-staging cleanup). Rubocop clean. Pre-commit hooks pass.

I (Claude Code) addressed the feedback on behalf of @justin808.

[claude]

Code Review: PR 3173 rolling_deploy_adapter - see inline comments for specifics.

Overview: Solid PR completing the rolling-deploy trilogy. Graceful-degradation design is well-executed — every failure path (timeout, nil, raise) falls back to 410-retry, so the adapter can never break a deploy.

Strengths: Airtight graceful degradation; defense-in-depth path traversal protection; atomic two-mv staging with concurrent-writer detection; upload signature validation at configure-time; thorough reference implementations.

Six issues flagged via inline comments: (1) missing blank line after private_class_method block in assets_precompile.rb:218-219; (2) SAFE_HASH_PATTERN allows leading-dot hashes that create hidden cache dirs; (3) raw regex source in operator warning is not human-readable; (4) display_label.downcase produces 'rsc' lowercase mid-sentence in RSC warning; (5) global Metrics/ModuleLength bump should be a file-level disable; (6) splat-style upload(*args) accepted but undocumented for adapter authors.

Minor: rolling_deploy_discovery_timeout_seconds fallback could reference the exact Pro spec path; stub_synchronizer helper refactor in doctor_spec.rb is a clean improvement.

[claude]

The implicit yield here means callers must pass a block, but the method signature doesn't declare &block, so this contract isn't visible from the definition — only from the call sites at lines 121 and 126.

When the file doesn't exist the block is silently not called, which is intentional for deferred hash computation. But a future caller who reads only the signature could pass the method without a block, gets LocalJumpError at runtime (only in the file-present branch), and has to trace back to understand why.

Consider using an explicit &block parameter:

Suggested change

	publish_bundle(adapter, yield, bundle, assets, bundle_label)
	publish_bundle(adapter, block.call, bundle, assets, bundle_label)

and declare the method as def self.publish_bundle_if_present(adapter, bundle, assets, bundle_label, &block). The &block makes the requirement visible in signatures, method docs, and IDEs.

[claude]

This branch accepts upload(hash, options = {}) — but in Ruby 3.0+ keyword arguments are strictly separated from positional hashes. A call like adapter.upload(hash, bundle: bundle, assets: assets) will not populate options; Ruby 3 raises ArgumentError: unknown keywords: bundle, assets instead.

The comment above correctly documents the Ruby 3 rule for *args, but the positional optional case (opt param kind) falls through to this return true without the same guard. An adapter author who writes def self.upload(hash, opts = {}) will pass validation here, deploy to a Ruby 3 app, and get a runtime ArgumentError on the first assets:precompile — a confusing failure mode given that configure accepted the adapter cleanly.

Suggestion: either reject this shape (add || optional_positionals.positive? to the uses_explicit_upload_keywords? guard), or add an explicit config-time warning that upload(hash, opts = {}) only works on Ruby 2.7 and below.

[justin808]

Review round 10 — address-review summary

Posted by me (Claude Code) after running /address-review on PR #3173. Commit: ca729db.

Addressed in code (12 items)

#	File:line	Change	Reviewer
1	assets_precompile.rb:117	(P2/must-fix) Defer pool.server_bundle_hash / pool.rsc_bundle_hash evaluation behind a block so missing-bundle warnings still fire when bundle_hash (File.mtime / Digest::MD5.file) would otherwise raise. + regression spec.	@chatgpt-codex-connector[bot]
2	.rubocop.yml:80	(must-fix) Reverted Metrics/ModuleLength global to 180; the file-level disable on rolling_deploy_cache_stager.rb:32 covers the one over-limit module.	@claude[bot] (×2)
3	rolling_deploy_cache_stager.rb:34-50	Documented Timeout.timeout interrupt-point caveats + expanded STALE_TEMP_DIR_TTL_SECONDS rationale.	@claude[bot] (×2)
4	rolling_deploy_cache_stager.rb:89	Tightened SAFE_HASH_PATTERN to reject any leading-dot hash (.hidden, .git, …), not just ./... + regression spec.	@claude[bot]
5	rolling_deploy_cache_stager.rb:380	Replaced raw SAFE_HASH_PATTERN.source in warning with plain-English description.	@claude[bot]
6	rolling_deploy_cache_stager.rb:431-450	Backup dangling symlinks (not just files/dirs) in replace_bundle_directory; documented Linux vs macOS/BSD TOCTOU divergence inline.	@claude[bot] (×2)
7	assets_precompile.rb:195	Use original bundle_label (caller's casing) instead of display_label.downcase so "RSC bundle … for RSC bundle" reads consistently.	@claude[bot]
8	assets_precompile.rb:225	Added blank line between private_class_method list and next def.	@claude[bot] (×2)
9	configuration.rb:285 + docs	Expanded error message and docs to describe splat/options-hash upload signatures (def upload(*args), def upload(hash, **opts)).	@claude[bot]
10	docs/pro/rolling-deploy-adapters.md:139	Quantified S3 manifest cost: 2× GetObject + 2× PutObject per deploy when RSC is enabled.	@claude[bot]

Already addressed in prior commits — replied + resolved (19 items)

These threads carry feedback that was silently fixed by subsequent rounds (≤ ba13457) but never closed out. Verified against current code, replied with the resolution, and resolved:

• doctor.rb:766 FIX=true guard already in place
• Sequential per-hash seeding documented as intentional
• TEMPORARY_DIRECTORY_PATTERN PID-1 handling already correct
• Array#compact .dup / Array().dup no-ops removed
• Duplicate RENDERER_BUNDLE_PATH comment block removed (3 reports)
• "whitespace-only" internal note removed from user-facing error
• All bare raise "…" converted to raise ReactOnRailsPro::Error, … (2 reports)
• sanitize_hashes:378 now rejects TEMPORARY_DIRECTORY_PATTERN matches (2 reports)
• replace_existing_symlink dead code removed
• bundle_directory uses File::SEPARATOR
• required_rsc_asset_paths now receives manifests (fixed in ba13457)
• Older Ruby-3-*args thread superseded by new docs/error-message fix above
• Older capitalize/downcase thread superseded by the same-area fix above
• Unconditional sweep documented as intentional with TTL safeguard

Verification

• bundle exec rubocop — clean on all changed files; --only Metrics/ModuleLength clean across the repo.
• bundle exec rspec spec/react_on_rails_pro/assets_precompile_spec.rb — 40/40 pass (includes new regression).
• bundle exec rspec spec/dummy/spec/rolling_deploy_cache_stager_spec.rb — 48/48 pass (includes new leading-dot rejection spec).
• bundle exec rspec spec/react_on_rails_pro/ — 394/394 pass.
• bundle exec rspec spec/lib/react_on_rails/doctor_spec.rb — 228/228 pass.

🤖 Generated with Claude Code

[claude]

Minor inconsistency with the stager: handle_missing_adapter in rolling_deploy_cache_stager.rb does ENV["PREVIOUS_BUNDLE_HASHES"].to_s.strip and then checks emptiness, so a value like " " (spaces only) is treated as unset. Here the check is !env_override.empty?, which would consider " " non-empty and fire the warning — a false positive.

The mismatch is cosmetic in practice (an all-whitespace env var is likely accidental regardless), but aligning the two checks avoids confusing discrepancy:

Suggested change

	if env_override && !env_override.empty?
	if env_override && !env_override.strip.empty?

[claude]

Same whitespace inconsistency as the check at line 2889 — aligning with the stager's .strip avoids a false-positive "skipping probe" info message for an all-whitespace value:

Suggested change

	if env_override && !env_override.empty?
	if env_override && !env_override.strip.empty?

[chatgpt-codex-connector]

To use Codex here, create an environment for this repo.

[claude]

The comment "~3 deploys' worth (2 hashes per deploy when RSC is enabled)" is accurate for RSC apps, but the same RETENTION = 6 value is used unchanged for non-RSC apps — where each deploy produces only 1 hash. In that case RETENTION = 6 keeps the last 6 deploys, not 3.

Since most teams only need to cover draining traffic from the previous 1–2 deploys, an operator who copy-pastes this for a non-RSC app will silently retain far more history than intended.

Consider either:

• Documenting both cases explicitly: RETENTION = 6 # ~3 deploys with RSC (2 hashes/deploy), or ~6 deploys without RSC (1 hash/deploy), or
• Making retention configurable with a smaller default for non-RSC (e.g. RETENTION = enable_rsc ? 6 : 2).

[claude]

Code review posted with inline comments on 4 specific issues. Summary: (1) Ruby 3 incompatibility in upload signature validation - accepts_upload_options_hash allows upload(hash, opts={}) which fails at runtime on Ruby 3+. (2) Implicit yield without &block declaration in publish_bundle_if_present. (3) PREVIOUS_BUNDLE_HASHES whitespace check inconsistency between doctor.rb and stager. (4) RETENTION=6 doc comment misleading for non-RSC apps.