[DO NOT MERGE] Pro RSC migration: stacked base PR (tracks sub-PRs)

[ihabadham]

⚠️ Do not merge — integration branch for stacked sub-PRs

This is the base/integration branch for the React on Rails Pro + React Server Components migration. Sub-PRs squash-merge into this branch as they're reviewed; only when all sub-PRs have landed and the full migration is complete does this PR merge to master as one atomic unit.

Keep this PR open as Draft until the stack is complete. Please do not auto-merge.

Goal

Migrate this tutorial to React on Rails Pro so React Server Components can be demoed here. enable_rsc_support is Pro-only, so demoing RSC inherently pulls Pro into the tutorial app-wide — this is the entry ticket for the RSC demo, not scope drift.

Supersedes PR #723

PR #723 bundled the full migration (gem swap + NodeRenderer + RSC demo + a custom Rspack RSC plugin) in a single branch. This stacked series splits that work into focused, independently-reviewable sub-PRs and realigns several choices with the canonical Pro references (react_on_rails_pro/spec/dummy, react-server-components-marketplace-demo).

Sub-PR plan

• Sub-PR 1 — Dependency swap (merged: Pro RSC migration 1/3: Swap gem and npm to react_on_rails_pro #726). Gemfile + package.json to Pro at 16.6.0 stable, first-party imports rewritten, webpack alias shimming rescript-react-on-rails. Pure dependency swap — ExecJS unchanged.
• Sub-PR 2 — NodeRenderer via webpack. Adds the Pro initializer (server_renderer = "NodeRenderer", renderer URL/password, etc.), renderer/node-renderer.js launcher, Procfile.dev entry, and the Pro webpack transforms from the :pro generator's update_webpack_config_for_pro (target: 'node', node: false, extractLoader helper, Babel SSR caller, libraryTarget: 'commonjs2'). shakapacker.yml flips to webpack here (tactical, reversed when shakacode/react_on_rails_rsc#29 ships). Handles the production license story (.env.example, CI secret).
• Sub-PR 3 — RSC demo page. Upstream RSCWebpackPlugin via react-on-rails-rsc/WebpackPlugin in both client and RSC bundles; rscWebpackConfig.js derived from serverWebpackConfig(true) per canonical refs. RSC initializer fields (enable_rsc_support, rsc_bundle_js_file, rsc_payload_generation_url_path). Demo page + routes + 'use client' directives on existing client components. No custom plugin, no separate rsc-bundle.js source, no manual rsc-client-components.js side-import — upstream plugin's clientReferences handles client-ref inclusion.

Post-merge follow-up

Once upstream shakacode/react_on_rails_rsc#29 ships RSCRspackPlugin in a release, flip shakapacker.yml back to rspack and swap require('react-on-rails-rsc/WebpackPlugin') → require('react-on-rails-rsc/RspackPlugin'). Small diff — the manifest contract is shared between the two plugins.

CI note

The repo's js_test.yml, lint_test.yml, and rspec_test.yml workflows only trigger on PRs targeting master, so sub-PRs (which target this base branch) didn't get the full suite. This PR is where the full suite runs across all the accumulated sub-PR changes before anything lands on master.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 46c4c04c-36e2-4520-be0c-90c2acbe5ca8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ihabadham/feature/pro-rsc/base

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

/deploy-review-app

Deploy your PR branch for testing

/delete-review-app

Remove the review app when done

/help

Show detailed instructions, environment setup, and configuration options.

---

[claude]

Code Review — Sub-PR 1: Dependency Swap (react-on-rails → react-on-rails-pro)

Overview

This PR is the integration base branch for the React on Rails Pro + RSC migration. The diff from Sub-PR 1 (#726) performs a clean dependency swap: react_on_rails → react_on_rails_pro in both the Ruby and JS ecosystems, promotes both shakapacker and react_on_rails_pro from RC to stable, and adds a webpack alias shim for third-party packages that can't be source-rewritten.

---

✅ What's done well

• Consistent import updates: All 10 first-party JS files that imported react-on-rails are correctly updated to react-on-rails-pro. No missed files.
• Webpack alias is correctly scoped: Using 'react-on-rails$' (with $) avoids rewriting sub-path imports, which is exactly right since Pro's package exports differ from core's. The in-code comment explains the rationale clearly.
• RC → stable promotions: Both shakapacker and react_on_rails_pro move from RC to stable (10.0.0, 16.6.0). Good.
• PR description: Thorough stack explanation, clear sub-PR plan, and explicit CI note. Sets reviewers up well.

---

⚠️ Issues to address before merging to master

1. License key — CI will fail without it

react_on_rails_pro validates a REACT_ON_RAILS_PRO_LICENSE environment variable at startup. The PR description delegates the license story to Sub-PR 2, but this integration branch is where the full CI suite runs (per the description's own CI note). If the secret isn't already in the repo's CI environment, rspec_test.yml / lint_test.yml will fail as soon as the Rails process boots.

Action: Verify the REACT_ON_RAILS_PRO_LICENSE secret is present in the repo's GitHub Actions secrets before this PR runs CI, or add it as part of this base branch rather than Sub-PR 2.

2. Significant new dependency footprint in react_on_rails_pro

The lock file adds: async, console, fiber-annotation, fiber-local, fiber-storage, http-2, httpx, io-event, jwt, metrics, traces. These are all real dependencies of Pro's NodeRenderer (async HTTP/2 calls with JWT auth to the renderer process) but they represent a meaningful expansion of the gem surface — 11 new gems. This is expected for Pro but worth calling out for maintainers watching bundle size.

3. react_on_rails (core) still in the lockfile as a transitive dep

react_on_rails_pro (16.6.0) depends on react_on_rails (= 16.6.0), so core is still installed — it just moves from a direct dependency to a transitive one. This is intentional (Pro wraps Core), but developers grepping Gemfile.lock for react_on_rails will find both. A one-line comment in the Gemfile would save confusion:

# react_on_rails (core) is installed as a transitive dep of react_on_rails_pro
gem "react_on_rails_pro", "16.6.0"

4. Webpack alias carries an implicit API-compatibility assumption

The alias redirects any third-party require('react-on-rails') call to react-on-rails-pro. This works only if Pro exports an API that is a superset of (or compatible with) what rescript-react-on-rails actually calls at runtime. If rescript-react-on-rails uses an API that diverged between core and Pro, the alias will silently produce runtime errors.

Suggestion: Add a brief note to the comment (or the PR) confirming that rescript-react-on-rails's usage was verified against Pro's exports.

---

Minor

• pack-config-diff@^0.1.0 appears as a new transitive dep of shakapacker@10.0.0 (not in the RC). It's a YAML diff utility — benign, but worth confirming it was introduced intentionally by the shakapacker stable release and not a lockfile artifact.
• ClientRouterAppExpress.jsx still imports browserHistory from react-router v3 — pre-existing, out of scope, but flagged for awareness.

---

Summary

The mechanical swap is clean and correct. The main blocker before this can land on master is confirming the Pro license secret is in CI. The webpack alias and dependency footnotes are advisory.

🤖 Generated with Claude Code

[claude]

The $-suffixed alias correctly avoids rewriting sub-path imports (e.g. react-on-rails/node_package/…), but it carries an implicit assumption: that every API rescript-react-on-rails calls at the exact-specifier level is present and compatible in react-on-rails-pro. If that has been verified against the actual call sites in rescript-react-on-rails, a short note to that effect here (or in the PR description) would save a future maintainer from re-investigating when something mysteriously breaks under RSC.

[claude]

Note that react_on_rails_pro depends on react_on_rails (= 16.6.0) (line 335 below), so both gems are present in the final bundle — core as a transitive dep, Pro as the direct dep. This is intentional (Pro wraps Core), but developers who grep Gemfile.lock for react_on_rails will find two entries. A brief comment in Gemfile above the react_on_rails_pro declaration would prevent confusion.

[claude]

jwt is used by Pro for license validation and NodeRenderer JWT authentication. Ensure the REACT_ON_RAILS_PRO_LICENSE env var is present in all CI environments and in .env.example (the PR description says this is Sub-PR 2's responsibility, but CI runs against this base branch first — the secret needs to be in place before this branch's CI suite is exercised).

[claude]

Code Review — PR #727 (Pro RSC Migration: Stacked Base)

This is a thorough, well-documented migration. The inline rationale throughout is a strong signal that the tradeoffs (webpack-over-rspack temporarily, React version pin, single-container deployment) were thought through deliberately. Below is a full pass with a few items worth resolving before the stack lands on master.

---

Overview

The PR correctly splits work across three sub-PRs and integrates them here:

• Pro RSC migration 1/3: Swap gem and npm to react_on_rails_pro #726 — gem/npm dependency swap to react_on_rails_pro 16.6.0 stable + react-on-rails-pro alias shim
• Sub-PR 2 — NodeRenderer initializer, renderer/node-renderer.js launcher, Procfile/CI integration, webpack Pro transforms
• Sub-PR 3 — RSCWebpackPlugin wiring (client references discovery already wired in serverWebpackConfig.js)

The overall approach aligns with canonical Pro references (react_on_rails_pro/spec/dummy, marketplace demo), and the decision to fail loudly (renderer_use_fallback_exec_js = false) is the right default for a tutorial app that's explicitly demoing Pro features.

---

Issues

1. babelLoader.options.caller is replaced, not merged (serverWebpackConfig.js:113–114)

babelLoader.options.caller = { ssr: true };

If babel-loader was already configured with other caller fields (e.g., { name: 'webpack', supportsStaticESM: true }), this line silently drops them. A safer pattern:

babelLoader.options.caller = { ...babelLoader.options.caller, ssr: true };

2. getBundler() silently falls through to webpack for any non-rspack value (bundlerUtils.js:14)

_cachedBundler = config.assets_bundler === 'rspack' ? require('@rspack/core') : require('webpack');

The old code threw on invalid values; the new code silently loads webpack for 'invalid-bundler', undefined, or a typo. The test throws when assets_bundler is invalid was removed without a replacement. During the webpack era this is fine, but when the repo flips back to rspack someone could introduce a typo and get unexpected webpack behavior.

At minimum, consider adding a validation check or a clear comment that this is intentional fallback behavior, and adding back a test for the invalid-value case (even if it now documents "falls back to webpack, logs a warning").

3. wait -n requires bash ≥ 4.3 (.controlplane/Dockerfile CMD)

CMD ["bash", "-c", "node renderer/node-renderer.js & RENDERER_PID=$! ; bundle exec thrust bin/rails server & RAILS_PID=$! ; wait -n ; exit 1"]

wait -n (wait for any child) is a bash 4.3+ feature. Debian/Ubuntu-based images ship bash 5.x so this is almost certainly fine, but it's worth one line of confirmation that the Dockerfile's base image includes bash ≥ 4.3 (Alpine's sh would silently ignore -n). The bash -c invocation ensures the shell is bash — just worth verifying the version.

Also: RENDERER_PID and RAILS_PID are captured but never referenced again in this one-liner; they can be omitted without any behavioral change. Minor, but removes noise.

4. React version pin ~19.0.4 (resolves to 19.0.5) (package.json:78–79)

The pin is clearly intentional and the .env.example comment on react-on-rails-rsc explains it, but the package.json itself doesn't document why it's pegged to ~19.0.4 instead of ^19.0.0. A comment in package.json (or the PR description already has this) noting the pin is RSC-compatibility-driven would help maintainers not accidentally loosen it. Consider adding a brief inline comment similar to the webpack TODO comment in shakapacker.yml.

---

Observations (no action required, but worth noting)

RSCWebpackPlugin imported unconditionally in Sub-PR 2: serverWebpackConfig.js already imports react-on-rails-rsc/WebpackPlugin even though rscWebpackConfig.js (Sub-PR 3) hasn't landed yet. The plugin is wired to the server bundle's clientReferences scan right now, not gated to the RSC bundle path only. This is consistent with the canonical refs and is by design — the server bundle needs client-reference discovery even before the RSC bundle exists — but it's worth confirming this is intentional and not accidentally running RSC plugin in production before Sub-PR 3 is complete.

additionalContext: { URL, AbortController } (renderer/node-renderer.js:43): Both are available as Node.js globals since Node 18. If the CI/prod environment is Node 18+, this is fine. If there's any chance of Node 16 (which has URL but not AbortController as a global until 15.0), startup would throw a confusing ReferenceError. Given the project's other modern dependencies, Node 18+ is almost certainly guaranteed, but a engines field in package.json or a Node version check here would make it explicit.

CI renderer health check design: The polling loop in rspec_test.yml is solid — it checks both liveness and port readiness and fails fast if the PID disappears. One suggestion: consider redirecting the renderer's stdout/stderr to a log file so that on failure there's a dedicated artifact. Right now the output is interleaved in the step, which can be hard to parse if the CI log is long.

org.yml "do not re-apply" warning: The comment is accurate and important — re-applying the template would overwrite production secrets. Consider making this even more prominent (e.g., # ⚠️ WARNING: Re-applying this template overwrites all secret values.), since ControlPlane engineers may apply templates without reading all comments.

capacityAI: true in rails.yml: Good choice to let CapacityAI grow from the 1Gi baseline. Just worth confirming that the ControlPlane org has CapacityAI enabled at the org level, since it's a feature that must be opted into.

---

Summary

The stacked structure is clean, the rationale is well-documented, and the security choices (explicit fail-loud, no fallback ExecJS) are correct. The three items above — babel caller merge, silent bundler fallback, and wait -n bash version — are the ones worth addressing before the stack merges to master. Everything else is low-risk polish.

🤖 Generated with Claude Code

[claude]

This fully replaces caller rather than merging into it. If babel-loader was configured upstream with other caller fields (e.g. { name: 'webpack', supportsStaticESM: true }), those are silently dropped.

Suggested change

	babelLoader.options.caller = { ssr: true };
	babelLoader.options.caller = { ...babelLoader.options.caller, ssr: true };

[claude]

This silently falls back to webpack for any non-'rspack' value — including typos or genuinely invalid strings. The previous code threw an explicit error for invalid values; that test was removed without a replacement.

This is defensible as intentional (webpack is the desired fallback while rspack support is paused), but consider either documenting it explicitly or adding a warning log for unexpected values to make misconfiguration easier to detect:

Suggested change

	_cachedBundler = config.assets_bundler === 'rspack' ? require('@rspack/core') : require('webpack');
	_cachedBundler =
	config.assets_bundler === 'rspack'
	? require('@rspack/core')
	: (() => {
	if (config.assets_bundler && config.assets_bundler !== 'webpack') {
	console.warn(
	`[bundlerUtils] Unknown assets_bundler "${config.assets_bundler}", falling back to webpack.`,
	);
	}
	return require('webpack');
	})();

[claude]

wait -n (wait for the first child to exit) requires bash ≥ 4.3. Debian/Ubuntu base images ship bash 5.x so this should be fine, but worth a quick bash --version sanity check against the actual base image.

Also, RENDERER_PID and RAILS_PID are assigned but never used again in this one-liner — they can be dropped without any behavioral change:

Suggested change

	CMD ["bash", "-c", "node renderer/node-renderer.js & RENDERER_PID=$! ; bundle exec thrust bin/rails server & RAILS_PID=$! ; wait -n ; exit 1"]
	CMD ["bash", "-c", "node renderer/node-renderer.js & bundle exec thrust bin/rails server & wait -n ; exit 1"]

[claude]

URL and AbortController are Node.js globals as of Node 18 (both) and Node 15 (AbortController). If there's any chance of Node 16 being in use, AbortController would be undefined and reactOnRailsProNodeRenderer would receive undefined silently — or throw a confusing error at SSR time rather than at startup.

Since the project already requires modern Node for React 19 / RSC, consider making the minimum Node version requirement explicit — either via engines in package.json or an upfront check here:

Suggested change

	additionalContext: { URL, AbortController },
	additionalContext: { URL, AbortController },

(No code change needed if Node 18+ is already enforced elsewhere — just make sure it's documented.)