Tighten Pro webpack + initializer setup from reference audit

Four fixes from auditing Sub-PR 2 against the Pro dummy, the :pro
generator, and the Pro configuration docs.

- config/initializers/react_on_rails_pro.rb: renderer_password now
  raises in non-local envs instead of falling back to the dev string.
  Previously any production deploy that forgot to set the env var would
  silently run with a known-public password; now it fails loudly.
  Matches the safer pattern from PR #723's final state.
- config/webpack/serverWebpackConfig.js: pass clientReferences to
  RSCWebpackPlugin({ isServer: true }), matching the Pro dummy's
  serverWebpackConfig at `react_on_rails_pro/spec/dummy/config/webpack/
  serverWebpackConfig.js`. Without it, the plugin may walk into
  node_modules and hit unlodaed .tsx source files and re-scan modules
  we don't need. Locks client-ref discovery to client/app/**.
- config/webpack/serverWebpackConfig.js: drop publicPath from the
  server-bundle output. Server bundles are loaded by the Node renderer
  via the filesystem, never served over HTTP — the URL is unused.
  Matches the Pro dummy's comment.
- package.json: pin react-on-rails-rsc to 19.0.4 stable (was ^19.0.4
  range) and add "node-renderer" npm script as a convenience shortcut
  for `node renderer/node-renderer.js`.
- .github/workflows/rspec_test.yml: set RENDERER_PASSWORD explicitly in
  CI to the shared dev default so both the initializer and the launcher
  use the same concrete value, avoiding silent drift if either side's
  default is ever touched.

Re-verified: webpack build clean; renderer + Rails boot; GET / returns
HTTP 200 with "Node Renderer responded" in the Rails log and
"[SERVER] RENDERED" in the renderer log, confirming SSR still goes
through the Pro path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ihabadham

.github/workflows/rspec_test.yml

@@ -33,6 +33,9 @@ jobs:
       DRIVER: selenium_chrome
       CHROME_BIN: /usr/bin/google-chrome
       USE_COVERALLS: true
+      # Must match config.renderer_password in config/initializers/react_on_rails_pro.rb.
+      # Setting explicitly avoids silent drift if the two-sided defaults ever diverge.
+      RENDERER_PASSWORD: local-dev-renderer-password
 
     steps:
       - name: Install Chrome

config/initializers/react_on_rails_pro.rb

@@ -17,8 +17,13 @@
   config.renderer_url = ENV.fetch("REACT_RENDERER_URL", "http://localhost:3800")
 
   # Shared secret for renderer authentication. Must match renderer/node-renderer.js.
-  # In production, set RENDERER_PASSWORD to a strong value via your secret store.
-  # The shared dev default keeps the launcher and initializer in sync locally
-  # so `bin/dev` just works.
-  config.renderer_password = ENV.fetch("RENDERER_PASSWORD", "local-dev-renderer-password")
+  # In dev and test, both sides default to the same value so `bin/dev` works
+  # without setup. In production, RENDERER_PASSWORD must be set explicitly —
+  # falling back to a known-public dev string in prod would auth-bypass the
+  # renderer.
+  config.renderer_password = if Rails.env.local?
+                               ENV.fetch("RENDERER_PASSWORD", "local-dev-renderer-password")
+                             else
+                               ENV.fetch("RENDERER_PASSWORD")
+                             end
 end

config/webpack/serverWebpackConfig.js

@@ -87,18 +87,31 @@ const configureServer = (rscBundle = false) => {
   serverWebpackConfig.plugins.unshift(new bundler.optimize.LimitChunkCountPlugin({ maxChunks: 1 }));
 
   if (!rscBundle) {
-    serverWebpackConfig.plugins.push(new RSCWebpackPlugin({ isServer: true }));
+    // Limit client-reference discovery to the app source directory. Without
+    // `clientReferences`, the plugin may traverse into node_modules/ and hit
+    // non-JS source files (e.g. .tsx that aren't configured for a loader),
+    // and would re-scan nodes we don't care about. Matches the Pro dummy
+    // pattern in react_on_rails_pro/spec/dummy/config/webpack/serverWebpackConfig.js.
+    serverWebpackConfig.plugins.push(
+      new RSCWebpackPlugin({
+        isServer: true,
+        clientReferences: [
+          { directory: path.resolve(__dirname, '../../client/app'), recursive: true, include: /\.(js|ts|jsx|tsx)$/ },
+        ],
+      }),
+    );
   }
 
   // Custom output for the server-bundle.
-  // libraryTarget: 'commonjs2' is required by the Pro Node renderer so it can
-  // `require()` the evaluated bundle.
+  // - libraryTarget: 'commonjs2' is required by the Pro Node renderer so it
+  //   can `require()` the evaluated bundle.
+  // - No publicPath: the server bundle is loaded by the Node renderer via the
+  //   filesystem, never served over HTTP, so asset URLs would go unused.
   serverWebpackConfig.output = {
     filename: 'server-bundle.js',
     globalObject: 'this',
     libraryTarget: 'commonjs2',
     path: path.resolve(__dirname, '../../ssr-generated'),
-    publicPath: config.publicPath,
   };
 
   // Don't hash the server bundle b/c would conflict with the client manifest

package.json

@@ -30,7 +30,8 @@
     "test:client": "yarn jest",
     "build:test": "rm -rf public/packs-test && RAILS_ENV=test NODE_ENV=test bin/shakapacker",
     "build:dev": "rm -rf public/packs && RAILS_ENV=development NODE_ENV=development bin/shakapacker",
-    "build:clean": "rm -rf public/packs || true"
+    "build:clean": "rm -rf public/packs || true",
+    "node-renderer": "node renderer/node-renderer.js"
   },
   "dependencies": {
     "@babel/cli": "^7.21.0",
@@ -82,7 +83,7 @@
     "react-intl": "^6.4.4",
     "react-on-rails-pro": "16.6.0",
     "react-on-rails-pro-node-renderer": "16.6.0",
-    "react-on-rails-rsc": "^19.0.4",
+    "react-on-rails-rsc": "19.0.4",
     "react-redux": "^8.1.0",
     "react-router": "^6.13.0",
     "react-router-dom": "^6.13.0",

yarn.lock

@@ -8796,7 +8796,7 @@ react-on-rails-pro@16.6.0:
   dependencies:
     react-on-rails "16.6.0"
 
-react-on-rails-rsc@^19.0.4:
+react-on-rails-rsc@19.0.4:
   version "19.0.4"
   resolved "https://registry.npmjs.org/react-on-rails-rsc/-/react-on-rails-rsc-19.0.4.tgz#a605fbaa82a0bece504de1ef0b8d5c6fae5d6be3"
   integrity sha512-KtHYz0opcXJk+Zw5aabjNiaszzpTdFgs1YfSLIZJSzU5SpddUw7b08epkxeJq/TCpR60Q9vsjxX3Q3OWJ97tMg==