Address PR review feedback: fix bugs, security, and config issues

- Replace hardcoded localhost URL with RAILS_INTERNAL_URL env variable
- Add response.ok check to prevent silent fetch failures
- Guard 800ms demo delay to non-production environments
- Restrict sanitize-html img tag to explicit allowed attributes/schemes
- Clear useClientCache on each compilation for correct watch mode
- Remove incorrect 'use client' from server-only files
- Fix import/order lint violation in rsc-client-components
- Gate trace option to development environment only
- Remove duplicate RspackRscPlugin from server config (RSC-only)
- Fix url-loader/file-loader guard to use .includes() matching
- Pass RSC config to envSpecific callback

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: justin808

app/views/pages/server_components.html.erb

@@ -2,5 +2,5 @@
 <%= react_component("ServerComponentsPage",
     prerender: false,
     auto_load_bundle: false,
-    trace: true,
+    trace: Rails.env.development?,
     id: "ServerComponentsPage-react-component-0") %>

client/app/bundles/comments/startup/RouterApp/ror_components/RouterApp.server.jsx

@@ -1,5 +1,3 @@
-'use client';
-
 // Compare to ./RouterApp.client.jsx
 import { Provider } from 'react-redux';
 import React from 'react';

client/app/bundles/comments/startup/serverRegistration.jsx

@@ -1,5 +1,3 @@
-'use client';
-
 // Example of React + Redux
 import ReactOnRails from 'react-on-rails-pro';
 

client/app/bundles/server-components/components/CommentsFeed.jsx

@@ -12,12 +12,19 @@ const marked = new Marked();
 marked.use(gfmHeadingId());
 
 async function CommentsFeed() {
-  // Simulate network latency to demonstrate streaming
-  // eslint-disable-next-line no-promise-executor-return
-  await new Promise((resolve) => setTimeout(resolve, 800));
+  // Simulate network latency to demonstrate Suspense streaming (development only)
+  if (process.env.NODE_ENV !== 'production') {
+    await new Promise((resolve) => {
+      setTimeout(resolve, 800);
+    });
+  }
 
   // Fetch comments directly from the Rails API — no client-side fetch needed
-  const response = await fetch('http://localhost:3000/comments.json');
+  const baseUrl = process.env.RAILS_INTERNAL_URL || 'http://localhost:3000';
+  const response = await fetch(`${baseUrl}/comments.json`);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch comments: ${response.status} ${response.statusText}`);
+  }
   const comments = await response.json();
 
   // Use lodash to process (stays on server)
@@ -45,6 +52,11 @@ async function CommentsFeed() {
         const rawHtml = marked.parse(comment.text || '');
         const safeHtml = sanitizeHtml(rawHtml, {
           allowedTags: sanitizeHtml.defaults.allowedTags.concat(['img']),
+          allowedAttributes: {
+            ...sanitizeHtml.defaults.allowedAttributes,
+            img: ['src', 'alt', 'title', 'width', 'height'],
+          },
+          allowedSchemes: ['https', 'http', 'data'],
         });
 
         return (

client/app/packs/rsc-client-components.js

@@ -4,8 +4,8 @@
 // Components with 'use client' that are used in server components must be
 // available in a client bundle chunk so the React flight client can load them.
 
-import TogglePanel from '../bundles/server-components/components/TogglePanel';
 import ReactOnRails from 'react-on-rails-pro';
+import TogglePanel from '../bundles/server-components/components/TogglePanel';
 
 // Register as a standard component so it's bundled in a client-accessible chunk
 ReactOnRails.register({ TogglePanel });

config/webpack/rscWebpackConfig.js

@@ -62,8 +62,11 @@ const configureRsc = () => {
       if (cssLoader?.options?.modules) {
         cssLoader.options.modules = { ...cssLoader.options.modules, exportOnlyLocals: true };
       }
-    } else if (rule.use && (rule.use.loader === 'url-loader' || rule.use.loader === 'file-loader')) {
-      rule.use.options.emitFile = false;
+    } else if (
+      rule.use?.loader
+      && (rule.use.loader.includes('url-loader') || rule.use.loader.includes('file-loader'))
+    ) {
+      rule.use.options = { ...(rule.use.options || {}), emitFile: false };
     }
   });
 

config/webpack/rspackRscPlugin.js

@@ -48,6 +48,11 @@ class RspackRscPlugin {
   }
 
   apply(compiler) {
+    // Clear cache on each compilation so watch-mode picks up 'use client' changes
+    compiler.hooks.thisCompilation.tap('RspackRscPlugin-ClearCache', () => {
+      useClientCache.clear();
+    });
+
     compiler.hooks.thisCompilation.tap('RspackRscPlugin', (compilation) => {
       compilation.hooks.processAssets.tap(
         {

config/webpack/serverWebpackConfig.js

@@ -5,7 +5,6 @@ const path = require('path');
 const { config } = require('shakapacker');
 const commonWebpackConfig = require('./commonWebpackConfig');
 const { getBundler } = require('./bundlerUtils');
-const { RspackRscPlugin } = require('./rspackRscPlugin');
 
 /**
  * Extract a specific loader from a webpack rule's use array.
@@ -172,9 +171,6 @@ const configureServer = () => {
     'react-dom/server.browser.js$': 'react-dom/server.node.js',
   };
 
-  // RSC: Generate react-server-client-manifest.json for SSR component resolution
-  serverWebpackConfig.plugins.push(new RspackRscPlugin({ isServer: true }));
-
   return serverWebpackConfig;
 };
 

config/webpack/webpackConfig.js

@@ -22,14 +22,15 @@ const webpackConfig = (envSpecific) => {
     result = serverConfig;
   } else if (process.env.RSC_BUNDLE_ONLY) {
     const rscConfig = rscWebpackConfig();
+    if (envSpecific) envSpecific(null, null, rscConfig);
     // eslint-disable-next-line no-console
     console.log('[React on Rails] Creating only the RSC bundle.');
     result = rscConfig;
   } else {
     const clientConfig = clientWebpackConfig();
     const serverConfig = serverWebpackConfig();
     const rscConfig = rscWebpackConfig();
-    if (envSpecific) envSpecific(clientConfig, serverConfig);
+    if (envSpecific) envSpecific(clientConfig, serverConfig, rscConfig);
     // eslint-disable-next-line no-console
     console.log('[React on Rails] Creating client, server, and RSC bundles.');
     result = [clientConfig, serverConfig, rscConfig];