Enable Shakapacker early hints

[justin808]

Changes

• Updated Gemfile to point to shakapacker from the justin808/early-hints branch.
• Updated package.json to use shakapacker from the justin808/early-hints branch.
• Enabled early_hints in config/shakapacker.yml for the production environment.

Testing

• Verify that Shakapacker builds assets correctly.
• Confirm early hints are being served in production by inspecting network requests.

---

This change is 

Summary by CodeRabbit

• New Features

  • HTTP/2 via Thruster proxy enabled; footer shows “Powered by Thruster HTTP/2”
  • Dev and production start commands now run through Thruster for improved asset delivery

• Chores

  • Ruby runtime updated to 3.4.6; runtime tooling aligned for Thruster

• Documentation

  • New and expanded guides: Thruster, HTTP/2, Early Hints verification, troubleshooting, deployments, and local verification tools

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Results when

bin/dev prod

curl -v  --http2 http://localhost:3001/  2>&1 | grep -A5 "< HTTP"

< HTTP/1.1 103 Early Hints
< Link: </packs/css/generated/RouterApp.css>; rel=preload; as=style; crossorigin="anonymous", </packs/css/stimulus-bundle.css>; rel=preload; as=style; crossorigin="anonymous"
< 
< HTTP/1.1 103 Early Hints
< link: </packs/css/generated/RouterApp.css>; rel=preload; as=style; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/css/stimulus-bundle.css>; rel=preload; as=style; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/runtime.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react-on-rails_node_package_lib_ReactOnRails_client_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react-on-rails_node_package_lib_ReactOnRails_full_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_marked_lib_marked_esm_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_prop-types_index_js-node_modules_babel_runtime_helpers_esm_extends_js-no-ef61e6.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react_jsx-dev-runtime_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_hoist-non-react-statics_dist_hoist-non-react-statics_cjs_js-node_modules-752318.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_immutable_dist_immutable_es_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_axios_index_js-node_modules_react-transition-group_esm_CSSTransition_js--9574f2.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_rails_actioncable_app_assets_javascripts_actioncable_esm_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_marked-gfm-heading-id_src_index_js-node_modules_marked-mangle_src_index_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react-intl_lib_index_js-node_modules_sanitize-html_index_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react-redux_es_index_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_redux_es_redux_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_intl_index_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/vendors-node_modules_react-router-dom_dist_index_js.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/client_app_bundles_comments_components_CommentBox_CommentForm_CommentForm_jsx-client_app_bund-e33922.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/client_app_bundles_comments_actions_commentsActionCreators_js-client_app_bundles_comments_com-3dbe23.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/generated/RouterApp.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/generated/NavigationBarApp.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 103 Early Hints
< link: </packs/js/generated/Footer.js>; rel=preload; as=script; nopush
< 
< HTTP/1.1 200 OK
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< referrer-policy: strict-origin-when-cross-origin

[coderabbitai]

Walkthrough

Adds Thruster HTTP/2 proxy integration (gem, commands, Dockerfile), bumps Ruby/shakapacker versions, introduces Early Hints verification scripts, updates webpack/dev/test driver configs, adds Control Plane and Thruster docs, and adds a UI footer notice and related config/template changes.

Changes

Cohort / File(s)	Summary
Dependencies & Ruby version Gemfile, package.json, .ruby-version, .github/workflows/*	Bumped Ruby 3.4.3 → 3.4.6; added thruster gem; adjusted shakapacker/package versions; CI matrices updated to Ruby 3.4.6.
Procfiles / run commands Procfile, Procfile.dev, Procfile.dev-prod-assets, Procfile.dev-static, Procfile.dev-static-assets	Replaced direct Rails server commands with bundle exec thrust bin/rails server variants; adjusted some dev comments and sleep timings.
Control Plane / Docker / templates .controlplane/Dockerfile, .controlplane/release_script.sh, .controlplane/readme.md, .controlplane/templates/app.yml, .controlplane/templates/rails.yml	Updated base Ruby image/version and Dockerfile casing; use a SECRET_KEY_BASE precompile placeholder during asset steps; final CMD now runs via Thruster; added SECRET_KEY_BASE env in app template and rails.yml protocol comments; control-plane Thruster docs added.
Shakapacker / webpack / react_on_rails config/shakapacker.yml, config/webpack/development.js, config/initializers/react_on_rails.rb	Enabled early_hints block in shakapacker production config; gated ReactRefreshWebpackPlugin when assets_bundler is rspack; production build command now runs locale generation before asset build.
Dev verification scripts check_early_hints.js, check_early_hints.py	New CDP-based scripts to fetch page HTML from Chrome, detect Early Hints debug comments and preload links, and exit with success/failure codes.
UI client/app/bundles/comments/components/Footer/ror_components/Footer.jsx	Added "Powered by Thruster HTTP/2" informational block with three icon items (HTTP/2 enabled, Early Hints configured, Control Plane hosting).
Docs — Thruster & Early Hints README.md, docs/thruster.md, docs/early-hints-investigation.md, docs/verify-early-hints-manual.md, docs/why-curl-doesnt-show-103.md, docs/chrome-mcp-server-setup.md, .controlplane/readme.md	New and expanded documentation covering Thruster features, configuration, deployment notes, Early Hints investigation and verification, Chrome MCP setup, and troubleshooting.
Tests / Capybara drivers spec/rails_helper.rb, spec/support/driver_registration.rb	Replaced built-in :selenium_chrome_headless usage with a custom :headless_chrome driver using --headless=new and --window-size=1920,1080; updated test hooks and screenshot registration.
Misc / config tweaks config/shakapacker.yml, Procfile.* variants, other minor files	Minor comment and configuration alignment changes across various files (dev_server/server refactor, early_hints options, etc.).

Sequence Diagram(s)

sequenceDiagram
    participant Browser
    participant Thruster as Thruster (HTTP/2 proxy)
    participant Rails as Rails (app container, HTTP/1.1)

    Note over Thruster,Rails: Thruster terminates TLS/HTTP2 and proxies to Rails over HTTP/1.1

    Browser->>Thruster: HTTP/2 GET /
    Thruster->>Rails: proxied HTTP/1.1 GET /
    Rails-->>Thruster: 103 Early Hints (Link headers)
    Thruster-->>Browser: 103 Early Hints (via HTTP/2)
    Rails-->>Thruster: 200 OK + body
    Thruster-->>Browser: 200 OK + body

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas to focus review on:

• .controlplane/Dockerfile and .controlplane/release_script.sh: SECRET_KEY_BASE placeholder usage and final CMD change to Thruster.
• Procfile variants and runtime command changes: ensure dev/prod workflows and process management remain correct under thrust wrapper.
• check_early_hints.js / check_early_hints.py: WebSocket/CDP messaging, timeouts, and exit codes.
• config/webpack/development.js: gating logic for Rspack vs Shakapacker and ReactRefresh plugin usage.
• Capybara driver registration: test environment, screenshot saving, and CI compatibility.

Possibly related issues

• Document Thruster HTTP/2 Proxy Configuration for Rails Apps control-plane-flow#257 — Matches Thruster integration and Control Plane protocol/documentation changes (Dockerfile CMD, rails.yml guidance).
• Documentation: Add guide for migrating to Rspack with Shakapacker 9 react_on_rails#1863 — Related to shakapacker/webpack gating changes and react_on_rails build adjustments in this PR.

Possibly related PRs

• Update Ruby version from 3.3.4 to 3.4.6 #674 — Related Ruby version bump to 3.4.6 across files.
• Update to Shakapacker 9.1.0 and migrate to Rspack #680 — Related conditional webpack/react-refresh gating for rspack/assets_bundler.
• Migrate to Shakapacker 9.0.0-beta.7 with Babel transpiler #662 — Related Capybara headless Chrome driver registration changes.

Suggested reviewers

• AbanoubGhadban

Poem

🐰 Thruster hums where bytes now flow,
HTTP/2 whispers, preload seeds go,
Early hints flutter, browsers prepare,
Rails hops along — faster through air. 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Enable Shakapacker early hints' accurately reflects the main objective of the changeset, which involves integrating Thruster HTTP/2 proxy and enabling early hints configuration across multiple files and environments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin808/shakapacker-early-hints

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[justin808]

/deploy-review-app

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

/deploy-review-app

Deploy your PR branch for testing

/delete-review-app

Remove the review app when done

/help

Show detailed instructions, environment setup, and configuration options.

---

[github-actions]

🏗️ Building Docker image for PR #687, commit 8731438

📝 View Build Logs

🎮 Control Plane Console

[claude]

PR Review: Enable Shakapacker Early Hints

Thank you for this PR! Here's my comprehensive review:

Summary

This PR enables HTTP/2 early hints support by updating dependencies to use the justin808/early-hints branch and configuring the feature in production.

---

Code Quality & Best Practices

Good:

• Clean, focused changes with clear intent
• Configuration change is properly scoped to production environment only
• Uses standard YAML configuration format

Concerns:

1. Ruby Version Downgrade (Gemfile:6)

   • Changed from ruby "3.4.6" to ruby "3.4.3"
   • This appears unintentional and could cause deployment issues
   • Recommendation: Revert to 3.4.6 unless there's a specific compatibility reason for the downgrade

2. Branch Dependencies in Production

   • Both Gemfile and package.json now point to a git branch rather than a stable release
   • Risk: Branch-based dependencies can change unexpectedly, breaking production builds
   • Recommendation:
     • Use this approach for testing only
     • Before merging, either:
       • Point to a tagged release/commit SHA for stability
       • Document the plan to update to an official release version
       • Add a TODO/issue to track when this will be changed to a stable version

---

Potential Bugs & Issues

1. Missing Server Configuration

   • Early hints require server-level support (HTTP/2 or HTTP/3)
   • No changes to Puma/Nginx/server configuration are included
   • Action Required: Verify your production server supports HTTP/2 and early hints
   • Rails alone won't send early hints without proper server configuration

2. Configuration Documentation

   • The early_hints configuration added to shakapacker.yml (lines 67-69) may not be the correct syntax
   • This configuration structure should be verified against the actual implementation in the justin808/early-hints branch
   • Recommendation: Check the shakapacker branch documentation for the correct config format

3. Gemfile.lock Inconsistency

   • The lock file shows the dependency is now from Git, which is correct
   • However, ensure the revision SHA 6bf6bf5c21388a402362c516370606529d6cfecd represents a stable, tested commit

---

Performance Considerations

Positive:

• Early hints can significantly improve page load performance by allowing browsers to preload critical assets
• This is especially beneficial for apps with many JavaScript/CSS bundles
• Expected improvement: Reduced time-to-interactive, faster asset loading

Considerations:

• Early hints effectiveness depends on:
  • Browser support (modern browsers only)
  • Proper HTTP/2 configuration
  • CDN support (if using one)
• Monitor performance metrics after deployment to validate improvements

---

Security Concerns

Low Risk Changes:

• No security-sensitive code modifications
• Configuration changes are isolated to production asset serving

Recommendations:

1. Ensure the git branch source is from a trusted repository (✓ shakacode/shakapacker is trusted)
2. Review the specific commits in the justin808/early-hints branch before deploying to production
3. Consider pinning to a specific commit SHA instead of a branch for better supply chain security

---

Test Coverage

Current State:

• PR includes a testing checklist but no automated tests
• No tests verify early hints functionality

Recommendations:

1. Add Integration Tests:

   # spec/requests/early_hints_spec.rb
   RSpec.describe "Early Hints", type: :request do
     it "sends early hints for asset preloading" do
       get root_path
       expect(response.headers["Link"]).to be_present
       # Verify Link headers contain preload directives
     end
   end

2. Manual Testing Checklist (from PR description):

   • ✓ Verify Shakapacker builds assets correctly
   • ✓ Confirm early hints in production via network inspector
   • Add: Test in browsers that support early hints (Chrome, Edge)
   • Add: Verify Link headers are present in response
   • Add: Measure performance impact (before/after comparison)

3. Testing Commands:

   # Check Link headers locally (if using Puma with HTTP/2)
   curl -I https://localhost:3000 --http2
   
   # Verify in production
   curl -I https://www.reactrails.com --http2 | grep -i link

---

Additional Recommendations

1. Documentation:

   • Add a comment or documentation explaining why early hints are enabled
   • Document any server configuration requirements
   • Update deployment docs if server setup is needed

2. Rollback Plan:

   • Document how to disable early hints if issues arise
   • Simply removing the config or setting enabled: false should work

3. Monitoring:

   • Add metrics to track:
     • Early hints sent successfully
     • Performance improvements (TTFB, TTI)
     • Any errors related to early hints

---

Action Items Before Merge

• Revert Ruby version to 3.4.6 or explain the downgrade
• Confirm server configuration supports HTTP/2 early hints
• Verify the shakapacker.yml configuration syntax is correct
• Consider pinning to a commit SHA instead of branch
• Add automated tests or document manual testing results
• Plan for migration to stable release version

---

Overall Assessment

Verdict: Needs revision before merge

The concept and implementation approach are sound, but there are several concerns that should be addressed:

1. Unintentional Ruby version downgrade
2. Production stability risk from branch dependencies
3. Missing server configuration verification
4. Lack of test coverage

Once these items are addressed, this should be a valuable performance improvement!

Let me know if you need help with any of these recommendations.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

config/shakapacker.yml (1)

67-69: Add context and rationale for the early_hints configuration.

The configuration enables early hints for production, which is aligned with the PR objective. However, the comment is minimal. Consider adding more detail:

• Explain what HTTP/2 Early Hints does (preloading critical resources)
• Note any performance or compatibility considerations
• Reference any related documentation or issues

Current implementation looks correct; this is a documentation enhancement request.

Consider updating the comment as follows:

  # Cache manifest.json for performance
  cache_manifest: true

  # Early hints configuration
  # HTTP/2 Early Hints allows the server to proactively push resources
  # that the client is likely to need, improving perceived performance.
  # Requires HTTP/2 support and compatible browser/client.
  early_hints:
    enabled: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d054855 and 8731438.

⛔ Files ignored due to path filters (2)

• Gemfile.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• Gemfile (1 hunks)
• config/shakapacker.yml (1 hunks)
• package.json (1 hunks)

🔇 Additional comments (3)

Gemfile (2)

6-6: Clarify the reason for downgrading Ruby from 3.4.6 to 3.4.3.

This is a patch-version downgrade without explanation. Confirm whether this is:

• A required dependency constraint from the new Shakapacker branch
• A security or compatibility fix
• An intentional change with a specific reason

If unintentional or not required, consider reverting to 3.4.6.

---

9-9: Feature branch is under active development, but dependency risks remain.

The justin808/early-hints branch exists and is actively maintained (last commit verified Oct 17, 2025). Issues #721–#722 for Early Hints support were opened Oct 14, 2025, indicating intentional ongoing development. However, using an unreleased feature branch in production dependencies poses real risks:

• Non-deterministic builds: Branch can change without notice; successive deployments may pull different code.
• Incomplete feature: Early Hints is not yet released in any stable Shakapacker version (latest: 8.3.0, April 2025).
• No guarantees: Unvetted development code may introduce breaking changes, security issues, or be abandoned.

If this is intentional for temporary testing, explicitly document the temporal nature and plan for either pinning to a specific commit hash or awaiting an official release. Otherwise, consider reverting to a stable released version.

package.json (1)

95-95: Confirm intentionality of branch-based dependency and align Gemfile and package.json if upgrading.

Both Gemfile and package.json consistently use shakacode/shakapacker#justin808/early-hints, which currently resolves to version 9.3.0.beta.2. While stable releases exist (9.1.0, 9.2.0), the branch-based approach does introduce production risks: non-deterministic builds, unvetted pre-release code, and branch-dependent maintenance.

Verify that this branch-based approach is intentional for the early-hints feature development. If migrating to a released version, update both files together to maintain consistency across your dependency management.

[github-actions]

🏗️ Building Docker image for PR #687, commit a810cca

📝 View Build Logs

🎮 Control Plane Console

[claude]

PR Review: Enable Shakapacker early hints

I've reviewed this PR and here's my comprehensive feedback:

Overall Assessment

This is a clean and focused PR that enables HTTP/2 Early Hints support for asset preloading. The changes are well-scoped and follow a logical pattern.

---

Code Quality and Best Practices

Strengths:

• Minimal, targeted changes: Only modifies what's necessary (Gemfile, package.json, shakapacker.yml)
• Clean dependency management: Uses branch references from the same organization (justin808/early-hints)
• Proper configuration scope: Early hints enabled only in production environment (config/shakapacker.yml:67-69)
• Consistent versioning: Gemfile.lock shows proper Git revision tracking

Recommendations:

1. Document the branch strategy

   • This PR depends on an unreleased feature from a branch (justin808/early-hints)
   • Add a comment explaining why using a branch instead of a released version
   • Include migration plan to switch to official release

2. Ruby version update anomaly

   • Ruby version changed from 3.4.6p32 to 3.4.6p54
   • This patch level change appears unrelated to early hints
   • Consider documenting this in the PR description

---

Performance Considerations

Positive Impact:

Early Hints is excellent for performance:

• Sends 103 Early Hints status with Link headers before the full response
• Allows browsers to preload critical assets (CSS, JS) while Rails processes the request
• Can improve Time to First Byte (TTFB) perception and reduce render-blocking delays
• Particularly beneficial for apps with significant server-side rendering time

Important Requirements:

HTTP/2 Support Required:
Early hints ONLY work with HTTP/2 or HTTP/3. I checked your Puma configuration and noticed:

• No explicit HTTP/2 configuration visible
• Default Puma setup uses HTTP/1.1

Action Required:

1. Verify your production server setup supports HTTP/2
2. If using a reverse proxy (nginx, CloudFlare, etc.), ensure it supports HTTP/2
3. Check your deployment platform (Heroku/Control Plane) supports Early Hints
4. Consider adding documentation about HTTP/2 requirements

---

Potential Bugs or Issues

Critical: Compatibility Check Needed

1. Server compatibility:

   • Early Hints requires Rack >= 3.0 for proper support
   • Verify Gemfile.lock shows Rack 3.x (Rails 8.0 should include this)

2. Browser compatibility:

   • Chrome/Edge: Full support
   • Firefox: Full support
   • Safari: Limited support (16.4+)
   • Gracefully degrades in unsupported browsers

3. Middleware compatibility:

   • Some Rack middleware may not properly handle 103 responses
   • Common culprits: CDNs, WAFs, reverse proxies
   • Recommendation: Test thoroughly in staging with your full middleware stack

---

Security Concerns

Low Risk:

• Early Hints only affects the timing of when asset URLs are sent to browsers
• No new attack surface introduced
• Uses the same asset URLs already in your manifest

Considerations:

1. Content Security Policy (CSP): If using CSP, ensure Early Hints headers comply

2. Branch dependency from GitHub:

   • Using branch refs means updates happen automatically on bundle update
   • Could introduce unexpected changes
   • Recommendation: Pin to specific commit SHA once feature stabilizes

---

Test Coverage

Missing Tests:

Currently, there are no tests included for this feature. This is concerning for a production configuration change.

Recommended Test Coverage:

1. Configuration test - Verify early hints enabled in production config
2. Integration test - Test early hints headers in production environment
3. Manual testing checklist:
   • Verify early hints in production staging environment
   • Check browser DevTools Network tab for 103 status
   • Measure page load performance before/after
   • Test with different browsers (Chrome, Firefox, Safari)
   • Verify CDN/proxy compatibility

---

Action Items Summary

Before Merging:

1. Document why using a branch dependency and migration plan to stable release
2. Verify HTTP/2 is enabled in production environment
3. Confirm Rack 3.x compatibility
4. Add testing checklist to PR description
5. Test in staging environment with actual HTTP/2 setup

Nice to Have:

6. Add performance metrics/benchmarks from staging
7. Pin to specific commit SHA instead of branch
8. Document HTTP/2 requirement in deployment docs
9. Add automated tests for configuration

---

Conclusion

This is a good quality PR with clear intent and clean implementation. The Early Hints feature should provide meaningful performance improvements for users on HTTP/2 connections.

Main concerns:

1. HTTP/2 server compatibility (needs verification)
2. Missing tests (adds risk for production feature)
3. Branch dependency instead of release (sustainability concern)

Recommendation: Approve with conditions - Address the HTTP/2 verification and testing checklist before deploying to production.

Great work on keeping the changes focused and well-organized!

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a810cca and 9fca254.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (2 hunks)

🔇 Additional comments (2)

package.json (2)

20-20: Verify the postinstall build produces the expected shakapacker bundle.

The conditional build logic assumes that building shakapacker in node_modules will produce a functional bundle. Confirm that:

• The yarn build step in shakapacker completes successfully
• The resulting index.js is actually generated and usable by the asset pipeline
• No build artifacts are missing or corrupted

Test this locally on both Mac/Linux and Windows (or WSL) by running yarn install and verifying the bundle integrity.

---

95-95: <!-- [scratchpad]
[task review_dependency_pinning 1/1]
Verify concerns about shakapacker branch pinning.

[observations]

• Repository: react-webpack-rails-tutorial (by shakacode)
• Dependency: "shakapacker": "github:shakacode/shakapacker#justin808/early-hints"
• Branch justin808/early-hints is ACTIVE and recently updated (Oct 17, 2025)
• Latest commit: 6bf6bf5
• postinstall script present: builds shakapacker from source if needed
• yarn.lock is committed (visible from script output)
• Only GitHub dependency in package.json
• Recent commit message: "Add postinstall script to build shakapacker from GitHub branch"

[analysis]

• Review comment is technically correct: branch refs are mutable, commits are more reproducible
• HOWEVER: Context matters significantly here
• This is a tutorial repo testing an unreleased feature from upstream shakapacker
• postinstall script + committed yarn.lock already provide reproducibility guarantees
• The branch reference is intentional, not accidental
• This is a legitimate pattern for feature-branch testing before stable release
• Pinning to commit 6bf6bf5 would actually be worse if developers want to test updates

[conclusion]
Review comment's concern is valid but overly rigid for this development/testing scenario. The current setup mitigates the stated risks through:

1. Committed yarn.lock (deterministic installs)
2. postinstall build script (explicit build process)
3. Active upstream maintenance
   The developer should make an informed decision about whether this temporary feature-branch reference aligns with their project's dependency strategy.

[done]
Verification complete. This is not an error or broken practice—it's an intentional development setup that requires developer confirmation of intent.
</scratchpad]

Confirm whether pinning shakapacker to the feature branch is intentional and acceptable for your project's current development phase.

The review comment's concern about branch mutability is technically valid; however, your setup already mitigates the key reproducibility risks:

• yarn.lock is committed, making installs deterministic
• postinstall script builds shakapacker from source, showing deliberate integration testing
• Branch justin808/early-hints is active and maintained (latest commit: 6bf6bf5, updated Oct 17, 2025)

This is a legitimate pattern for testing unreleased features from an upstream branch before a stable release. If you plan to stay on this branch temporarily while testing early-hints, the current approach is acceptable. However, you should:

1. Document in a comment why this branch reference exists (e.g., "TODO: pin to shakapacker release once early-hints merges")
2. Plan to upgrade to a stable shakapacker release once the feature ships
3. If you want extra safety now, pin to the specific commit (#6bf6bf5) with a comment explaining it's temporary

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit 9fca254

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Thank you for this PR! I've reviewed the changes to enable early hints support in Shakapacker. Here's my detailed feedback:

✅ Code Quality & Best Practices

Strengths:

• Clean, focused changes that modify only the necessary files
• Proper use of git-based dependency management for the feature branch
• Configuration changes are isolated to production environment (appropriate for new feature testing)
• YAML configuration follows existing patterns in shakapacker.yml

Concerns:

1. Dependency Management (Medium Priority)

   • Both Gemfile and package.json now point to a feature branch (justin808/early-hints) rather than a stable release
   • Recommendation: This is acceptable for testing, but before merging to main, consider:
     • Document the timeline for when this will be merged into Shakapacker's main branch
     • Add a TODO comment or GitHub issue to track reverting to a stable version
     • Ensure the team is aware this creates a non-standard dependency

2. postinstall Script Complexity (Low Priority)

   • The new postinstall script in package.json:20 is complex and has potential failure points:

     if [ -f node_modules/shakapacker/package/index.ts ] && [ ! -f node_modules/shakapacker/package/index.js ]; then cd node_modules/shakapacker && yarn install --production=false && yarn build; fi

   • Issues:
     • Shell script compatibility (won't work on Windows without WSL/Git Bash)
     • Silent failures if the build fails
     • Modifies node_modules which can cause issues with lockfile integrity
   • Recommendation: Consider adding error handling or documenting this requirement in the README

🐛 Potential Bugs & Issues

1. Missing Server Configuration

   • Early hints (HTTP 103) require server support (Puma, Nginx, etc.)
   • Action Required: Verify that:
     • Puma version supports early hints (requires Puma 5.0+)
     • Production deployment environment (web server/load balancer) supports HTTP/2
     • No intermediate proxies strip the 103 Early Hints responses

2. No Rollback Strategy

   • The PR checklist mentions verifying early hints in production, but there's no documented rollback plan
   • Recommendation: Add a feature flag or environment variable to toggle early hints without redeployment

3. Configuration Validation

   • The YAML structure early_hints: enabled: true is added but there's no validation
   • Recommendation: Verify that Shakapacker properly validates this configuration and provides helpful errors if misconfigured

⚡ Performance Considerations

Positive Impacts:

• Early hints can significantly improve perceived load time by allowing browsers to preload assets while the server generates the response
• This is particularly beneficial for this app since it uses React with multiple asset bundles

Potential Issues:

1. Asset Manifest Overhead

   • Early hints work best with stable asset names
   • Verify that the digest-stamped asset names (for cache busting) don't change too frequently
   • Consider monitoring the impact on CDN/cache hit rates

2. No Metrics/Monitoring

   • The PR doesn't include any way to measure the effectiveness of early hints
   • Recommendation: Add logging or monitoring to track:
     • Whether early hints are being sent
     • Performance impact (use Browser Timing API or RUM tools)
     • Any errors in asset hint generation

🔒 Security Concerns

1. Low Risk: Early hints themselves don't introduce security vulnerabilities
2. Consideration: Ensure Content Security Policy (CSP) headers are compatible with preloaded resources
   • Check config/initializers/content_security_policy.rb if present
   • Early hints might trigger CSP violations if policies are too restrictive

🧪 Test Coverage

Current State:

• ❌ No automated tests for early hints functionality
• ❌ Manual testing checklist provided but not completed

Recommendations:

1. Add Integration Tests

   # Suggested test structure
   describe "Early Hints", type: :request do
     it "sends 103 Early Hints in production mode" do
       # Test that appropriate Link headers are sent
     end
   end

2. Test Cases to Cover:

   • Verify 103 response is sent before the main response
   • Validate Link headers contain correct asset paths
   • Ensure early hints are only sent in production
   • Test behavior when early_hints.enabled: false

3. Manual Testing Checklist Enhancement:

   • Add specific commands to verify early hints (e.g., curl -i to inspect headers)
   • Document expected header format
   • Test with HTTP/2 specifically

📝 Additional Recommendations

1. Documentation

   • Add a comment in config/shakapacker.yml explaining what early hints do
   • Update README or deployment docs with server requirements
   • Document browser compatibility (early hints require HTTP/2-capable browsers)

2. Monitoring Strategy

   • Consider adding APM/monitoring to track:
     • Server response time changes
     • Client-side rendering performance
     • Any increase in server load

3. Gradual Rollout

   • Consider testing on staging first with production-like traffic
   • Monitor for any unexpected issues before enabling in production

🎯 Summary

Overall Assessment: This is a well-intentioned performance optimization with clean implementation. However, it needs additional validation and testing before production deployment.

Recommendation: Request Changes

Required Before Merge:

1. ✅ Complete the manual testing checklist (currently unchecked)
2. ✅ Verify Puma and server infrastructure support
3. ✅ Add at least basic integration test coverage
4. ✅ Document the dependency on a feature branch and timeline for stable release

Nice to Have:

1. Add monitoring/logging for early hints
2. Implement feature flag for safer rollout
3. Enhance postinstall script with better error handling
4. Update documentation

Files Changed Review:

• Gemfile & Gemfile.lock: ⚠️ Feature branch dependency
• package.json: ⚠️ Complex postinstall script
• yarn.lock: ✅ Auto-generated, looks correct
• config/shakapacker.yml: ✅ Clean configuration addition

Great work on exploring performance optimizations! Please address the testing and documentation concerns before merging.

---

Review generated with assistance from Claude Code

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit eb1b3be

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Overview

This PR updates the project to use a development branch of Shakapacker that includes early hints support, and enables the early hints feature in production. The changes are focused on dependency updates and configuration.

---

Code Quality & Best Practices

✅ Strengths

• Clear intent: The PR has a focused scope - enabling early hints support
• Consistent updates: Both Gemfile and package.json are updated to use the same branch
• Configuration is production-only: Early hints are enabled only in the production environment, which is appropriate for testing performance improvements

⚠️ Concerns

1. Using a Development Branch in Production (HIGH PRIORITY)

• Issue: Both Gemfile (line 9) and package.json (line 95) reference the justin808/early-hints branch instead of a stable release
• Risk: Development branches can change without notice, potentially breaking builds in the future
• Recommendation:
  • Before merging to main/master, wait for this feature to be released in a stable version
  • If this must be deployed before a stable release, consider:
    • Pinning to a specific commit SHA instead of a branch name
    • Documenting the temporary nature of this dependency
    • Setting up a reminder to update to a stable version once available

2. Complex postinstall Script (MEDIUM PRIORITY)

• Issue: The postinstall script in package.json (line 20) has become quite complex
• Risks:
  • Shell-dependent (won't work on Windows without WSL/Git Bash)
  • Builds dependencies during install, which can slow down deployments
  • Modifies node_modules in a non-standard way
• Recommendation:
  • Document why this script is necessary (appears to be building TypeScript source from the branch)
  • Consider adding a comment explaining this is temporary until the feature is released
  • Test that this works in your CI/CD environment

3. Ruby Version Mismatch in Gemfile.lock

• Observation: The Gemfile.lock shows a Ruby version change from 3.4.6p32 to 3.4.6p54
• Action Required: This suggests the lock file was generated with a different patch version. Ensure all developers and CI are using the same Ruby version to avoid lock file churn.

---

Potential Bugs & Issues

1. Missing Early Hints Server Support Verification

• Issue: Early hints (HTTP 103 responses) require server support
• Questions:
  • Does your production server (Puma) support early hints? (Puma 5.0+ does)
  • Is your reverse proxy/CDN configured to pass through 103 responses?
  • Have you verified the infrastructure supports this feature?
• Recommendation: Document the server requirements in the PR description or add a comment in the config file

2. No Fallback or Feature Flag

• Issue: The feature is enabled unconditionally in production
• Recommendation: Consider adding a feature flag or environment variable to toggle this on/off without code changes, especially during the initial rollout

3. Testing Checklist Items Not Completed

• Observation: The PR description has unchecked testing items
• Recommendation: Complete these tests before merging

---

Performance Considerations

✅ Expected Benefits

• Early hints can improve perceived page load performance by allowing browsers to start downloading assets earlier
• This is particularly beneficial for sites with many CSS/JS assets

⚠️ Monitoring Recommendations

• Set up monitoring to measure the actual performance impact
• Track metrics like:
  • Time to First Byte (TTFB)
  • First Contentful Paint (FCP)
  • Largest Contentful Paint (LCP)
• Compare before/after metrics to validate the improvement

---

Security Concerns

✅ No Critical Security Issues

• The changes don't introduce obvious security vulnerabilities
• Early hints are a standard web performance feature

⚠️ Supply Chain Considerations

• Medium Risk: Using an unreleased branch from a dependency introduces supply chain risk
• Mitigation:
  • The branch is from the same organization (shakacode/shakapacker), reducing risk
  • Review the branch code changes before deploying
  • Monitor for any unexpected changes to the branch

---

Test Coverage

⚠️ Missing Tests

• No automated tests for the early hints functionality
• Recommendations:
  1. Add integration tests that verify assets are being preloaded correctly
  2. Add configuration tests to ensure early_hints setting is properly read
  3. Consider adding a test that checks for the presence of HTTP 103 responses (if feasible in your test environment)

---

Configuration Review

The config/shakapacker.yml changes look good:

• Properly nested under the production environment
• Clear configuration structure
• Enabled flag is explicit

---

Recommendations Summary

Before Merging:

1. ✅ Complete the testing checklist in the PR description
2. ⚠️ Verify server infrastructure supports HTTP 103 early hints
3. ⚠️ Consider pinning to a specific commit SHA instead of branch name
4. ⚠️ Document the temporary use of a development branch
5. ⚠️ Ensure all environments use Ruby 3.4.6p54 to avoid lock file changes

After Merging:

1. Monitor performance metrics to validate improvements
2. Set up alerts for build failures related to the branch dependency
3. Create a follow-up issue to update to a stable release when available
4. Document the early hints feature and server requirements

Nice to Have:

• Add a feature flag for easier rollback
• Add automated tests for early hints functionality
• Document Windows compatibility for the postinstall script

---

Overall Assessment

Status: ⚠️ Conditional Approval - The changes are technically sound, but using development branches in production is risky.

Severity: The main concern is the dependency on an unreleased branch. This should be addressed before merging or clearly documented as a temporary measure with a plan to migrate to a stable release.

The configuration changes themselves are well-structured and focused. Once the dependency concerns are addressed and testing is completed, this PR should be good to merge.

---

Review generated with attention to code quality, security, and production readiness.

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit 9930aaf

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Thank you for this PR! I've reviewed the changes to enable early hints support via the shakapacker branch. Here's my detailed feedback:

✅ Positive Aspects

1. Clear Purpose: The PR has a well-defined goal of enabling early hints to improve perceived page load performance.
2. Systematic Approach: The commits show a thoughtful progression from basic integration to handling edge cases (Ruby version, build requirements).
3. Debug Support: Enabling debug: true in the early hints configuration is excellent for verification and troubleshooting.

---

🔍 Code Quality & Best Practices

1. PostInstall Script (package.json:20)

The postinstall script has grown quite complex. This one-liner is hard to read and maintain.

Concerns:

• Fragility: Hard to read and maintain
• Error Handling: No error handling if any step fails
• Windows Compatibility: Shell commands using [ -f ] won't work on Windows
• CI/CD Impact: Installing dev dependencies and building on every install adds significant time

Recommendations:

• Extract this logic into a separate Node.js script for better cross-platform compatibility
• Add proper error handling
• Consider the impact on CI/CD build times

2. Branch Dependency Management

Using a GitHub branch as a dependency is appropriate for testing/preview, but:

Concerns:

• Lock File Volatility: Any upstream changes to the branch will require lock file updates
• Production Readiness: Branch dependencies should be temporary

Recommendations:

• Document in the PR description when this will be replaced with a stable release
• Consider using a specific commit hash instead of branch name for more stability

3. Early Hints Configuration (config/shakapacker.yml:67-70)

The configuration looks good, but could use more documentation.

Recommendations:

• Add comments explaining what early hints are and their purpose for future maintainers
• Consider if debug: true should remain in production long-term, or if it should be removed after verification

---

🐛 Potential Issues

1. Ruby Version Change (Gemfile.lock)

I noticed the Ruby version patch changed from 3.4.6p32 to 3.4.6p54. This appears to be an unintentional side effect rather than a deliberate change.

Impact: Low - same minor/patch version
Recommendation: Verify this matches your team's development and production environments

2. Yarn.lock Changes

The yarn.lock shows all resolved URLs changed format. This is cosmetic but suggests a potential yarn version inconsistency.

Recommendation: Ensure all developers are using the same yarn version (currently specified as 1.22.22 in package.json)

---

🔒 Security Considerations

1. Branch Dependency Security

✅ Good: Using a specific commit in the lock file provides reproducible builds
⚠️ Concern: GitHub branch dependencies bypass npm's security audit

Recommendations:

• Run yarn audit to check other dependencies
• Monitor the shakapacker branch for any security-related commits
• Plan to migrate to a stable npm release when available

2. Build Script Execution

The postinstall script runs arbitrary build commands from a third-party package.

Impact: Low (trusted source - shakacode)
Mitigation: Already in place - you're using a specific git commit hash in the lock file

---

⚡ Performance Considerations

1. Install Time

The postinstall script conditionally builds shakapacker from source, which:

• Increases initial install time significantly
• Requires dev dependencies to be installed even in production-like CI environments

Recommendations:

• Document expected install time increase in the PR description
• Consider caching the built shakapacker in CI/CD pipelines

2. Early Hints Benefits

✅ This is the whole point of the PR! Early hints should provide measurable performance improvements.

Recommendations:

• Add performance testing to the PR checklist
• Document how to verify early hints are working (inspect network requests for 103 Early Hints responses)
• Consider adding metrics/monitoring to track the performance impact

---

🧪 Testing & Verification

The PR description has a testing checklist, which is great! However:

Missing Test Coverage:

• No automated tests for the postinstall script
• No verification that the early hints configuration is properly loaded

Recommendations:

• Add instructions for manually testing early hints
• Test the postinstall script in a clean environment

---

📋 Summary

Overall Assessment: This is a solid PR with a clear purpose and systematic implementation. The main concerns are around the complexity of the postinstall script and the temporary nature of using a branch dependency.

Priority Recommendations:

1. High: Refactor postinstall script for better maintainability and cross-platform support
2. Medium: Document migration plan from branch to stable release
3. Medium: Add verification steps for early hints functionality
4. Low: Clean up debug mode and improve configuration comments

Approval Status: ⚠️ Approve with suggestions - The code works, but would benefit from the improvements above before merging.

---

Great work on improving the application's performance! Let me know if you'd like help implementing any of these suggestions.

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit 395b7a4

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

PR Review: Enable Shakapacker Early Hints

Overview: This PR enables HTTP/2 early hints support in Shakapacker to improve perceived page load performance by allowing the server to send link headers early in the response lifecycle.

Code Quality - Positive aspects:

• Clean, focused changes with clear intent
• Good separation of concerns - dependency updates are isolated
• Configuration follows Shakapacker conventions
• Appropriate environment targeting (production only)

Suggestions:

1. postinstall script complexity (package.json:20)

   • This is a complex one-liner that conditionally builds Shakapacker from source
   • Consider documenting WHY this is needed (probably because you're using a branch that hasn't been built/published)
   • This could fail silently or cause confusion for contributors
   • Recommendation: Add a comment in package.json explaining this is temporary while testing the early-hints branch

2. Debug mode in production (config/shakapacker.yml:70)

   • Having debug: true in production configuration could expose implementation details via HTML comments
   • Recommendation: Consider setting this to false for production or making it environment-variable controlled

Potential Issues:

1. Branch dependency stability

   • Using a feature branch (justin808/early-hints) as a dependency creates potential issues:
     • Branch could be force-pushed, rebased, or deleted
     • No version pinning - behavior could change unexpectedly
     • CI/CD reproducibility concerns
   • Recommendation: Once the feature is stable, point to a tagged release or specific commit SHA

2. Postinstall performance impact

   • The conditional build in postinstall could significantly slow down yarn install
   • On every install, the script checks files and potentially rebuilds Shakapacker
   • Recommendation: Monitor install times and consider alternatives once the feature is merged upstream

3. Ruby version change (Gemfile.lock)

   • The ruby patch version changed from 3.4.6p32 to 3.4.6p54
   • This appears to be an unintentional change from updating dependencies

Performance Considerations:

Positive:

• Early hints can significantly improve perceived performance by allowing browsers to start fetching assets earlier
• This is especially beneficial for apps with many JavaScript/CSS assets

Considerations:

1. Server support required - Early hints require HTTP/2+ and server support (e.g., Puma 5+)
2. Verify your deployment environment supports this feature
3. Consider documenting minimum server requirements
4. Consider adding performance metrics or screenshots showing the improvement

Security Concerns (Overall: Low Risk):

1. Debug mode exposure - HTML comments in production could leak asset paths or configuration details (not critical but follows principle of least disclosure)
2. Branch dependency from GitHub - Dependencies from branches should be temporary (ensure branch is from trusted source)
3. No obvious security vulnerabilities introduced

Test Coverage Concerns:

1. No automated tests included - Consider adding:

   • Integration tests verifying the configuration is loaded
   • Tests ensuring early hints headers are sent when enabled
   • Negative tests with early hints disabled

2. Manual testing checklist improvements:

   • Test with different browsers (Safari, Chrome, Firefox)
   • Verify performance improvement with tools like Lighthouse
   • Test that the feature gracefully degrades on HTTP/1.1
   • Verify no issues in development/test environments

Additional Recommendations:

1. Documentation - Consider adding docs about what early hints are, why they're enabled, how to verify they're working, server requirements, and how to disable if needed

2. Rollback plan - Since this is a production feature, have a clear rollback strategy (the feature can be easily disabled via config, which is good)

3. Monitoring - Once deployed, monitor for unexpected errors, performance improvements, and server resource usage changes

4. Yarn.lock size - The yarn.lock diff is 2665 lines, verify no unexpected dependencies were added

Summary:

Verdict: Approve with minor suggestions

This PR is well-structured and implements a useful performance feature. The main concerns are:

• MEDIUM: Debug mode enabled in production config
• MEDIUM: Relying on unstable branch dependency
• LOW: Complex postinstall script needs documentation
• LOW: Missing automated tests

Before merging:

1. Decide whether to keep debug: true in production
2. Document the temporary branch dependency
3. Plan for updating to a stable release once merged upstream

After merging:

1. Monitor production for issues
2. Measure performance improvements
3. Update to stable Shakapacker release when available

Great work on improving performance!

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit 58f9d8e

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Overview

This PR enables HTTP/2 Early Hints support for Shakapacker by updating dependencies to use the justin808/early-hints branch and configuring the feature in production. Overall, this is a positive change that should improve perceived page load performance.

Summary of Changes

• Updated Gemfile to use shakapacker from GitHub branch justin808/early-hints
• Updated package.json to use shakapacker from the same GitHub branch
• Added postinstall script to build shakapacker when installed from source
• Enabled early hints in config/shakapacker.yml for production with debug mode
• Updated lock files

Code Quality and Best Practices

Strengths

1. Well-documented commits with clear explanations
2. Comprehensive approach including all necessary dependency updates
3. Smart postinstall script with conditional build logic
4. Debug mode enabled for initial rollout verification

Areas for Improvement

1. Temporary Dependency Configuration
The PR uses GitHub branch dependencies rather than published versions. Consider adding a TODO or tracking issue to revert to a published version once the early-hints feature is merged and released.

2. Postinstall Script Complexity
The postinstall script in package.json line 20 is complex for a one-liner. Consider moving to a separate script file for better maintainability and error handling.

3. Configuration Documentation
The shakapacker.yml configuration lacks inline documentation about available options and server requirements.

Potential Bugs or Issues

Medium Priority

1. Platform Compatibility: The bash script may not work on Windows
2. Production Build Bloat: The postinstall script runs yarn install with production=false which installs dev dependencies
3. Missing Changelog: No update to CHANGELOG.md

Low Priority

1. Ruby Version: Gemfile.lock shows Ruby version changed from 3.4.6p32 to 3.4.6p54 - ensure CI/CD alignment

Performance Considerations

Positive Impact

• Early Hints Feature: HTTP/2 Early Hints (HTTP 103) allows browsers to start loading critical assets while the server generates the full response, improving perceived TTFB and page load times
• Production Only: Good decision to target production where benefits are most impactful

Potential Concerns

1. Build Time: Building shakapacker from source increases yarn install time for local dev, CI/CD, and container builds
2. Server Requirements: Early hints require HTTP/2 and web server support (Puma 6+, nginx, etc.)

Recommendation: Document server requirements in PR description or README

Security Concerns

Generally safe - no major security concerns identified.

Minor Considerations:

1. Branch-based dependencies mean code could change without version updates - consider pinning to specific commit SHA
2. Debug mode outputs HTML comments that could expose asset paths - fine for testing but consider disabling after verification

Test Coverage

Missing automated tests. The PR description has a testing checklist but no automated test coverage.

Recommendations:

1. Add integration tests verifying early hints headers are sent
2. Add CI check that verifies shakapacker builds correctly from source
3. Document manual testing procedure (browser dev tools, curl commands, expected headers)

Additional Recommendations

Documentation

1. Update README.md to mention early hints feature
2. Add migration guide for others wanting to use this feature
3. Document rollback procedure

Deployment Strategy

1. Consider feature flag or gradual rollout
2. Monitor performance metrics before/after
3. Have plan to quickly disable if issues occur

Future Improvements

1. Add metrics/logging for early hints usage
2. Configure which assets should be preloaded
3. A/B test performance impact

Conclusion

This is a well-structured PR that adds a valuable performance feature. The implementation is clean and the commit history shows good iteration.

Approve with Minor Changes

Before Merging:

1. Consider pinning dependencies to specific commit SHA
2. Add documentation about server requirements
3. Add plan/issue for migrating to published version
4. Consider adding automated tests

After Merging:

1. Monitor production performance metrics
2. Verify early hints are working in production
3. Consider disabling debug mode after verification
4. Plan to update to stable release when available

Great work on implementing early hints support!

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Summary

This PR enables early hints support by switching to a development branch of Shakapacker. Overall, the implementation looks reasonable for experimental/development purposes, but there are several important considerations before merging.

---

Code Quality & Best Practices

Strengths

1. Clear intent: The PR has a focused scope - enabling early hints functionality
2. Configuration approach: Using YAML configuration is the right approach for feature flags
3. Environment-specific: Early hints are only enabled in production, which is sensible

Concerns

1. Using a Development Branch in Production (Critical)

Files: Gemfile:9, package.json:95

Both Ruby and Node dependencies point to a feature branch (justin808/early-hints) rather than a stable release.

Issues:

• This branch can change without notice, breaking builds
• No version pinning means non-reproducible builds
• The branch could be force-pushed, rebased, or deleted
• CI/CD pipelines become unreliable

Recommendation:

• Pin to a specific commit SHA for stability (ref: 915edce51481bb1135853f9b877fd243623a9820)
• Or wait for this feature to be merged and released in a stable version
• Add a TODO/comment explaining this is temporary pending official release

2. Complex postinstall Script (Medium Priority)

File: package.json:20

The postinstall script is complex and fragile:

• Complex bash logic in package.json can fail silently
• Building dependencies during install is fragile and slow
• Not portable to Windows environments

Questions:

• Why does shakapacker need to be built from source?
• Is this temporary until the branch is properly published?
• What happens if the build fails?

Recommendations:

• Add error handling
• Consider extracting to a separate script file
• Add comments explaining why this is necessary

3. Debug Mode in Production (Security/Performance)

File: config/shakapacker.yml:70

Debug mode is enabled in production config which may leak information about asset loading, timing, or internal paths through HTML comments.

Recommendation: Set debug: false for production or make it environment-variable controlled

---

Potential Bugs & Issues

1. Gemfile.lock Ruby Version Change (Low Priority)

The Ruby version changed from 3.4.6p32 to 3.4.6p54. Was this intentional?

2. Missing Error Handling

• No validation that early hints are actually working
• No fallback if the feature fails
• The PR testing checklist is incomplete

---

Performance Considerations

Positive Impacts

1. Early hints can improve perceived performance by allowing browsers to preload assets
2. HTTP/2+ optimization
3. Production-only: Won't impact development workflow

Concerns

1. Build time: The postinstall script adds overhead
2. Deployment complexity: Building from source could slow down deployments
3. yarn.lock changes: 1338 additions/1327 deletions suggests significant dependency tree changes

Recommendations:

• Benchmark deploy times before/after
• Monitor production performance metrics after enabling
• Consider A/B testing early hints impact

---

Security Concerns

1. Supply Chain Risk (High Priority)

• Installing from an unmerged branch bypasses normal security review
• No guarantee the branch hasn't been tampered with
• Dependencies could change without review

Mitigation:

• Pin to specific commit SHA
• Review the shakapacker branch changes thoroughly

2. Information Disclosure (Low Priority)

• Debug mode in production could reveal asset structure

3. Dependency Audit

Run security audits: bundle audit and yarn audit

---

Test Coverage

Missing Tests

The PR description shows an incomplete testing checklist

Recommendations:

1. Add automated tests for the build process
2. Integration test to verify early hints headers are sent
3. Manual testing guide
4. Rollback plan

---

Additional Recommendations

1. Documentation

• Add comments in shakapacker.yml explaining what early hints does
• Document browser compatibility (requires HTTP/2+ and modern browsers)

2. Server Requirements

Early hints require:

• HTTP/2 or HTTP/3
• Puma 5.0+
• Properly configured reverse proxy

Action: Verify production infrastructure supports early hints

3. Monitoring

• Add logging/metrics to track effectiveness
• Monitor for errors
• Track performance improvements

---

Summary & Verdict

Blocking Issues (Must Fix Before Merge)

1. Pin dependencies to commit SHA instead of floating branch
2. Disable debug mode in production or make it configurable
3. Complete testing checklist and verify functionality

Non-Blocking Recommendations

1. Improve postinstall script error handling
2. Add automated tests
3. Document server requirements
4. Run security audits
5. Clarify Ruby version change

Questions for Author

1. When will the justin808/early-hints branch be merged upstream?
2. Is there a timeline for this becoming a stable release?
3. Have you tested this in a production-like environment?
4. What performance improvements have you observed?
5. Why does shakapacker need to be built during postinstall?

---

Conclusion

The early hints feature is a valuable performance optimization, but this PR introduces significant stability and security risks by depending on an unmerged development branch.

I recommend either:

1. Option A (Preferred): Wait for the feature to be merged and released in a stable version
2. Option B: Pin to a specific commit SHA, add comprehensive testing, disable debug mode, and treat this as an experimental deployment

The code quality is good, but the deployment approach needs refinement for production use.

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit 8082229

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

This PR introduces Thruster HTTP/2 proxy and early hints configuration. Overall, this is a well-executed implementation with excellent documentation.

✅ Strengths

1. Excellent Documentation - Outstanding addition of comprehensive docs (thruster.md, early-hints-investigation.md, etc.)
2. Systematic Dependency Updates - Ruby 3.4.3 → 3.4.6, Rails 8.0.3 → 8.1.1
3. Good Docker Practices - Multi-stage build pattern maintained

🔴 Critical Security Concerns

1. SECRET_KEY_BASE Placeholder in Production

File: .controlplane/templates/app.yml:23-26

The hardcoded placeholder should NEVER be used in production. It completely compromises session security.

Recommendation:

• Remove this from the template entirely, or use a Control Plane secret reference
• Add validation to fail deployment if placeholder is detected

⚠️ Issues & Concerns

2. Dependency Management - Using GitHub Branch

File: Gemfile:8 - Points to master branch instead of a released version

Recommendation: Pin to a specific commit SHA or wait for official release

3. Increased Sleep Times in Procfile.dev

Sleep increased from 5 to 15 seconds, adding unnecessary delay

Recommendation: Use process dependency checking instead of arbitrary sleeps

4. Missing Test Coverage

No tests found for the new early hints functionality

5. Redis Commented Out

Assumes developers are on macOS with Homebrew. Keep redis in Procfile for cross-platform compatibility

6. Duplicate Configuration

spec/rails_helper.rb has config.infer_spec_type_from_file_location! at line 69 and 105

7. Debug Mode in Production

config/shakapacker.yml has debug: true for early_hints in production

Recommendation: Make this configurable via environment variable

🔍 Code Quality

8. Early Hints Debug Scripts

Useful utilities but in project root which clutters the directory. Move to scripts/ or bin/

9. Typo in Comment

config/shakapacker.yml:26 - Procfile.dev-setic should be Procfile.dev-static

🎓 Recommendations Summary

Must Fix (Security):

1. ❌ Remove hardcoded SECRET_KEY_BASE placeholder from app.yml
2. ❌ Add validation to prevent deploying with placeholder secrets

Should Fix:

3. ⚠️ Pin react_on_rails to specific commit SHA instead of branch
4. ⚠️ Replace arbitrary sleep with proper dependency checking
5. ⚠️ Add test coverage for early hints functionality
6. ⚠️ Set debug: false in production for early_hints

Nice to Have:

7. 📝 Move debug scripts to scripts/ directory
8. 📝 Remove duplicate config in rails_helper.rb
9. 📝 Fix typo in shakapacker.yml

✨ Overall Assessment

Rating: 7.5/10 - Good implementation with excellent documentation, but critical security issue with SECRET_KEY_BASE

Strengths: Well-researched and documented, systematic approach to dependencies, good understanding of HTTP/2 architecture

Weaknesses: Security concern with hardcoded secrets, missing test coverage, development experience degradation

Recommendation: Fix the SECRET_KEY_BASE issue before merging. Consider adding basic test coverage and addressing the sleep timers for better DX.

Great work on the documentation! The investigation docs and troubleshooting guides will be invaluable for future developers. 🎉

[claude]

Pull Request Review: Enable Shakapacker Early Hints

This PR introduces Thruster HTTP/2 proxy integration and early hints support, along with Ruby 3.4.6 upgrade and dependency updates. Overall, this is a well-structured PR with comprehensive documentation. Below is detailed feedback across different aspects:

---

✅ Strengths

1. Excellent Documentation: The extensive documentation in .controlplane/readme.md, docs/thruster.md, and other guides provides clear instructions and troubleshooting steps.

2. Comprehensive Testing Utilities: The addition of check_early_hints.js and check_early_hints.py scripts shows thoughtful consideration for verification.

3. Consistent Updates: Ruby version upgrade is applied consistently across all configuration files (.ruby-version, Gemfile, CI workflows, Dockerfile).

4. Good Architectural Documentation: Clear explanation of the HTTP/2 protocol flow and why protocol: http is correct for Control Plane deployment.

---

🔍 Code Quality & Best Practices

Docker Configuration (.controlplane/Dockerfile)

✅ Good:

• Proper use of AS (uppercase) in multi-stage build syntax
• Secure handling of SECRET_KEY_BASE with placeholder values during build
• Good documentation comments explaining the rationale

⚠️ Concerns:

1. Potential Security Issue - Line 69 & 75-76:

RUN SECRET_KEY_BASE=precompile_placeholder bin/rails react_on_rails:locale
RUN SECRET_KEY_BASE=precompile_placeholder yarn res:build && \
    SECRET_KEY_BASE=precompile_placeholder bin/rails assets:precompile

Issue: While the comments indicate this is a placeholder, using predictable values in Docker builds can be problematic if:

• Build logs are exposed
• Intermediate layers are cached and accessible
• The placeholder somehow persists in the runtime environment

Recommendation: Consider using a randomly generated value per build:

RUN SECRET_KEY_BASE=$(openssl rand -hex 64) bin/rails react_on_rails:locale

2. Missing Thruster Binary Verification:
   The Dockerfile assumes thruster (command: thrust) will be available via the gem, but there's no explicit verification. Consider adding a build check:

RUN bundle exec thrust --version || echo "Thruster not found"

Dependency Management

⚠️ Using Git Branch Dependencies:

gem "react_on_rails", github: "shakacode/react_on_rails", branch: "master"

Issue: Pinning to a git branch (master) instead of a specific version or commit SHA means:

• Builds are not reproducible (master can change)
• Gemfile.lock will reference a specific commit, but that's implicit
• Potential for unexpected breaking changes

Recommendation:

• If this is for testing pre-release features, document it clearly in PR description
• Consider using a specific commit SHA: github: "...", ref: "b50a74d9045015479d2eb515adee5060963ec72d"
• Plan to migrate to a stable version before production deployment

Note from Gemfile.lock: The lock file shows revision: b50a74d9045015479d2eb515adee5060963ec72d, which is good for current reproducibility.

Configuration Files

Procfile.dev - Line 4:

# redis: redis-server  # Run Redis as a system service instead (brew services start redis)

Issue: This comment assumes Homebrew, which is macOS-specific. Developers on Linux or Windows won't find this helpful.

Recommendation: Provide cross-platform guidance or mention this is for macOS developers.

---

🐛 Potential Bugs

1. Missing WebSocket Dependency

check_early_hints.js uses the ws library:

const WebSocket = require('ws');

Issue: This dependency is not listed in package.json. The script will fail when run.

Fix: Add to package.json (as a dev dependency):

"devDependencies": {
  "ws": "^8.14.0"
}

2. Hardcoded Localhost References

Both verification scripts (check_early_hints.js and check_early_hints.py) hardcode localhost:9222:

const req = http.get('http://localhost:9222/json', ...);

Issue: This won't work for remote debugging or different port configurations.

Recommendation: Accept host/port as command-line arguments or environment variables.

3. Error Handling in Scripts

check_early_hints.js has a bare try-catch that swallows errors:

} catch (e) {
  // Ignore parse errors for other messages
}

Issue: This could hide legitimate errors. Consider logging ignored errors in debug mode.

4. Duplicate Configuration in rails_helper.rb

Lines 105-106 duplicate line 69:

# Line 69
config.infer_spec_type_from_file_location!

# Lines 105-106 (duplicate)
config.infer_spec_type_from_file_location!

Fix: Remove the duplicate on line 105.

---

⚡ Performance Considerations

Positive Changes:

1. Thruster Integration: HTTP/2 multiplexing should significantly improve asset loading performance.

2. Early Hints Support: Configured via shakapacker.yml:

early_hints:
  enabled: true
  debug: true

This allows browsers to preload assets while the server prepares the response.

3. Proper Asset Cleanup: Dockerfile removes build artifacts:

rm -rf /app/lib/bs /app/client/app

Concerns:

1. Debug Mode in Production:

early_hints:
  debug: true # Set to true to output debug info as HTML comments

Issue: This adds HTML comments to production responses, increasing payload size.

Recommendation: Set debug: false in production or use environment-based configuration:

debug: <%= ENV['EARLY_HINTS_DEBUG'] == 'true' %>

2. Increased Sleep Time in Procfile.dev:

# Changed from sleep 5 to sleep 15
wp-client: sleep 15 && RAILS_ENV=development NODE_ENV=development bin/shakapacker-dev-server

Issue: 15-second startup delay could frustrate developers.

Recommendation: Consider using a polling mechanism that checks if ReScript compilation is complete rather than a fixed delay.

---

🔒 Security Concerns

1. SECRET_KEY_BASE Handling

Moderate Concern: The Dockerfile and release_script.sh use:

SECRET_KEY_BASE=precompile_placeholder

While this is only used during build and the actual secret is provided at runtime, ensure:

• ✅ The actual SECRET_KEY_BASE is provided via environment variables in .controlplane/templates/app.yml
• ⚠️ The placeholder value in app.yml should be replaced with a secure secret for production:

# Current (line 25 in app.yml):
value: 'placeholder_secret_key_base_for_test_apps_only'

Recommendation: The comment says this is for test apps, but ensure this is replaced with a proper secret for production deployments, preferably using Control Plane secrets management.

2. No Input Validation in Utility Scripts

The verification scripts connect to Chrome DevTools without validating the debugging port is intentionally exposed.

Recommendation: Add warnings about the security implications of running Chrome with --remote-debugging-port=9222.

3. Gem from Git Branch

Using gem "react_on_rails", github: "shakacode/react_on_rails", branch: "master" means you're pulling code from a mutable source.

Security Implication: If the upstream repository is compromised, malicious code could be introduced.

Recommendation: Use a specific commit SHA or wait for an official release.

---

🧪 Test Coverage

Positive:

1. CI Configuration Updated: All GitHub Actions workflows updated to Ruby 3.4.6.

2. Test Helper Configuration: The rails_helper.rb properly configures Capybara for headless Chrome testing.

3. ReactOnRails Test Helper: Ensures webpack assets are compiled for JavaScript tests:

ReactOnRails::TestHelper.configure_rspec_to_compile_assets(config)

Gaps:

1. No Tests for Thruster Integration: There are no automated tests verifying:
   • Thruster starts correctly
   • HTTP/2 is actually enabled
   • Early hints are being sent

Recommendation: Add system tests that verify:

# Example test structure
it 'serves assets via Thruster with HTTP/2' do
  visit root_path
  # Verify specific Thruster behaviors
end

2. Manual Testing Only: The PR description has unchecked testing items:

## Testing
- [ ] Verify that Shakapacker builds assets correctly.
- [ ] Confirm early hints are being served in production by inspecting network requests.

Recommendation: Complete these verification steps before merging.

3. No Tests for New Utility Scripts: The check_early_hints.js and .py scripts have no tests.

---

📝 Additional Recommendations

1. Missing Package Dependency

Add the ws dependency:

yarn add --dev ws

2. Remove Duplicate Code

Fix the duplicate configuration in spec/rails_helper.rb.

3. Documentation Clarity

The extensive documentation is great, but consider:

• Adding a "Quick Start" section at the top of docs/thruster.md
• Creating a troubleshooting decision tree
• Adding diagrams for the HTTP/2 flow

4. Environment-Specific Configuration

Consider making early hints debug mode environment-aware:

# config/shakapacker.yml
production:
  early_hints:
    enabled: true
    debug: <%= ENV.fetch('EARLY_HINTS_DEBUG', 'false') == 'true' %>

5. Cleanup Old Comments

The comment about SECRET_KEY_BASE=NOT_USED_NON_BLANK was properly expanded, but ensure all related comments are updated for clarity.

---

🎯 Summary & Verdict

Category	Rating	Notes
Code Quality	⭐⭐⭐⭐☆	Well-structured with minor issues
Security	⭐⭐⭐☆☆	Concerns about SECRET_KEY_BASE handling and git dependencies
Performance	⭐⭐⭐⭐⭐	Excellent performance improvements expected
Testing	⭐⭐⭐☆☆	Needs automated tests for new functionality
Documentation	⭐⭐⭐⭐⭐	Exceptional documentation

Recommendation: Approve with Changes

This PR introduces valuable performance improvements and is well-documented. However, please address:

Must Fix Before Merge:

1. Add ws to package.json dev dependencies
2. Remove duplicate infer_spec_type_from_file_location! in rails_helper.rb
3. Complete manual testing checklist items
4. Verify production SECRET_KEY_BASE is properly configured

Should Fix Before Merge:
5. Set early_hints.debug: false for production or make it environment-aware
6. Add tests verifying Thruster integration works correctly

Nice to Have:
7. Use commit SHA instead of branch for react_on_rails gem
8. Improve cross-platform documentation for Redis setup
9. Add error handling to verification scripts

Great work on this feature! The Thruster integration and comprehensive documentation will be valuable for the project. 🚀

[justin808]

/deploy-review-app

[github-actions]

🎉 ✨ Deploy Complete! 🚀

🌐 ➡️ Open Review App

Deployment successful for PR #687, commit ed38906

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Summary

This PR adds comprehensive HTTP/2 and early hints support through Thruster integration and Shakapacker configuration. The changes are substantial but well-structured, adding 1913 lines across 32 files with excellent documentation.

✅ Strengths

1. Excellent Documentation

• Outstanding: Added comprehensive documentation in docs/ covering Thruster setup, early hints investigation, verification guides, and troubleshooting
• The .controlplane/readme.md additions provide clear deployment guidance with architectural explanations
• Well-commented code changes explaining the "why" behind configurations

2. Security Improvements

• Good: Removed SECRET_KEY_BASE from ENV in Dockerfile (.controlplane/Dockerfile:65-66)
• Good: Only sets SECRET_KEY_BASE inline during build commands, not persisted in final image
• Good: Added placeholder with clear comments in .controlplane/templates/app.yml:22-27 for test apps

3. Infrastructure Modernization

• Ruby upgrade from 3.4.3 → 3.4.6 (security patches)
• Thruster HTTP/2 proxy integration for 20-30% performance improvement
• Consistent Procfile updates across all variants

4. Testing Configuration

• Excellent: Fixed Chrome headless mode for modern Chrome (109+) using --headless=new
• Clean driver registration pattern in spec/support/driver_registration.rb
• Proper separation of concerns

⚠️ Issues & Concerns

1. CRITICAL: Dependency on Unreleased Code

Location: Gemfile:8

gem "react_on_rails", "16.2.0.beta.20"

Location: Gemfile.lock:3

GIT
  remote: https://github.com/shakacode/react_on_rails.git
  revision: b50a74d9045015479d2eb515adee5060963ec72d
  branch: master

Issue: The Gemfile specifies 16.2.0.beta.20 but Gemfile.lock shows 16.2.0.beta.12 from the master branch at commit b50a74d9. This is inconsistent and points to unreleased code.

Risk:

• Breaking changes in master branch could break production without warning
• No version pinning = unpredictable deployments
• Difficult to reproduce issues across environments

Recommendation:

• Use a stable, released version, OR
• If beta testing is intentional, update Gemfile to match: gem "react_on_rails", github: "shakacode/react_on_rails", branch: "master" and document why
• Consider tagging a specific commit for reproducibility

2. Version Mismatch: Shakapacker

Location: Gemfile:9 vs Gemfile.lock:393

# Gemfile
gem "shakapacker", "9.3.4.beta.0"

# Gemfile.lock
shakapacker (9.3.3)

Issue: Gemfile requests beta 9.3.4 but Gemfile.lock has stable 9.3.3. The PR description mentions keeping stable 9.3.3, but the Gemfile wasn't updated to reflect this decision.

Recommendation: Update Gemfile to gem "shakapacker", "9.3.3" to match the lock file and PR description.

3. Early Hints Debug Mode in Production

Location: config/shakapacker.yml:70

production:
  early_hints:
    enabled: true
    debug: true # Set to true to output debug info as HTML comments

Issue: Debug mode is enabled in production, adding HTML comments to every response. While helpful for verification, this:

• Slightly increases response size
• Exposes internal configuration details
• Is typically only needed during testing

Recommendation: Set debug: false for production after verification is complete, or add a note that this is temporary for testing.

4. Potential Configuration Issue: ReactRefreshWebpackPlugin

Location: config/webpack/development.js:19-23

// Disable ReactRefreshWebpackPlugin as it's not compatible with rspack
// and causes pack generation failures in development
// See: https://github.com/shakacode/react_on_rails/issues/2090
plugins: plugins.filter(
  plugin => !(plugin instanceof ReactRefreshWebpackPlugin)
)

Issue: Disabling React Fast Refresh significantly degrades developer experience by requiring full page reloads instead of hot module replacement for React components.

Question: Is this a temporary workaround? The GitHub issue link should be verified.

Recommendation:

• Verify if this is still necessary with the current rspack version
• Document the trade-off more prominently if it's permanent
• Consider alternative solutions or rspack-compatible refresh plugins

5. Increased Procfile Sleep Timers

Location: Procfile.dev:9-10

wp-client: sleep 15 && RAILS_ENV=development NODE_ENV=development bin/shakapacker-dev-server
wp-server: sleep 15 && bundle exec rake react_on_rails:locale && HMR=true SERVER_BUNDLE_ONLY=yes bin/shakapacker --watch

Issue: Sleep increased from 5s to 15s (3x longer). While this ensures ReScript builds complete, it slows development startup.

Recommendation:

• Consider a more elegant solution like polling for ReScript completion
• Document that developers can reduce this if not using ReScript
• Investigate if there's a way to make ReScript build blocking instead of sleep-based

6. Security: SECRET_KEY_BASE Placeholder

Location: .controlplane/templates/app.yml:26

value: 'placeholder_secret_key_base_for_test_apps_only'

Issue: While clearly documented as for test apps only, having a hardcoded placeholder in a template could lead to:

• Accidentally deploying to production with insecure keys
• Copy-paste errors when creating new apps

Recommendation:

• Make the deployment fail if SECRET_KEY_BASE equals the placeholder value
• Add a startup validation check in config/initializers/ that raises an error in production if using placeholder
• Or use an environment variable check in the GVC template

🔍 Code Quality

Good Practices Observed:

• ✅ Consistent coding style across all changes
• ✅ Proper use of Ruby's frozen_string_literal: true
• ✅ Good separation of concerns (driver registration module)
• ✅ Comprehensive error messages in scripts
• ✅ Proper use of heredocs for multiline strings
• ✅ SVG component extraction in Footer.jsx reduces duplication

Minor Issues:

• Duplication: config.infer_spec_type_from_file_location! appears twice in spec/rails_helper.rb (lines 69 and 105)
• Commented Code: # redis: redis-server in Procfile.dev:5 - consider documenting in a README instead of commented code

🧪 Test Coverage

Concerns:

• ✅ RSpec configuration updated correctly
• ✅ Chrome headless driver properly configured
• ⚠️ No new tests added for early hints functionality
• ❓ How is early hints behavior tested in CI?

Recommendation: Add integration tests that verify:

• Early hints headers are sent when enabled
• Preload links are correctly generated
• Thruster properly serves compressed assets

🚀 Performance Considerations

Positive:

• ✅ HTTP/2 multiplexing will significantly improve page load times
• ✅ Brotli compression reduces bandwidth
• ✅ Asset caching improvements

Concerns:

• ⚠️ The 15-second Procfile sleep adds startup overhead
• ℹ️ Early hints debug mode adds small overhead (recommend disabling post-verification)

📊 Overall Assessment

Quality: 7.5/10

• Excellent documentation and infrastructure improvements
• Good security practices in most areas
• Well-structured code changes

Risk Level: Medium

• Dependency on unreleased/beta software is the main risk
• Version mismatches between Gemfile and Gemfile.lock need resolution
• Production debug mode should be addressed

🎯 Recommendations Summary

Must Fix Before Merge:

1. ✅ Resolve dependency version mismatches (react_on_rails and shakapacker)
2. ✅ Pin to stable versions or explicitly document beta testing strategy
3. ✅ Fix duplicate infer_spec_type_from_file_location! in rails_helper.rb

Should Fix:

4. ⚠️ Disable early hints debug mode in production (or document it's temporary)
5. ⚠️ Add SECRET_KEY_BASE validation to prevent placeholder in production
6. ⚠️ Add tests for early hints functionality

Consider:

7. 💡 Optimize Procfile sleep timers with smarter dependency detection
8. 💡 Re-evaluate ReactRefreshWebpackPlugin workaround
9. 💡 Remove commented code in favor of documentation

---

Great work on this comprehensive feature addition! The documentation quality is exceptional, and the Thruster integration looks solid. The main concerns are around dependency management and production configuration that should be addressed before merging.

Reviewed locations:

• .controlplane/Dockerfile:1-85
• Gemfile:8-9 vs Gemfile.lock:3-13,393
• config/shakapacker.yml:68-71
• config/webpack/development.js:19-23
• Procfile.dev:1-10
• spec/rails_helper.rb:69,105
• .controlplane/templates/app.yml:22-27

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

check_early_hints.py (1)

1-1: Execute permission still needs to be added.

This issue was previously flagged and remains unresolved. The shebang indicates this is an executable script, but the file lacks execute permissions.

Run the following command to fix:

chmod +x check_early_hints.py

docs/why-curl-doesnt-show-103.md (1)

12-12: Replace hardcoded PR review app URL with a placeholder.

Similar to the previous documentation file, this contains hardcoded PR review app URLs (lines 12, 152) that will become invalid after the PR is merged. Replace with a placeholder like https://YOUR-REVIEW-APP.cpln.app/ and add documentation on how to substitute the actual URL.

docs/chrome-mcp-server-setup.md (1)

206-206: Replace hardcoded PR review app URL with a placeholder.

This file also contains the hardcoded PR review app URL at lines 206 and 223. Apply the same fix as recommended for the other documentation files.

🧹 Nitpick comments (5)

spec/support/driver_registration.rb (1)

30-48: Consider renaming method for clarity.

The implementation correctly registers the :headless_chrome driver with the --headless=new flag, and the screenshot integration is properly configured.

However, the method name register_selenium_chrome_headless no longer matches the driver it registers (:headless_chrome). Consider renaming for consistency:

🔎 Suggested refactor

-  def self.register_selenium_chrome_headless
+  def self.register_headless_chrome
     # Use a custom driver name to avoid conflicts with Capybara's built-in
     # :selenium_chrome_headless which uses the old --headless flag.
     # Chrome 109+ requires --headless=new for proper headless operation.

If you apply this refactor, also update the caller in spec/rails_helper.rb:

# In spec/rails_helper.rb line 46
DriverRegistration.register_headless_chrome

check_early_hints.py (1)

48-82: Address static analysis warnings for code quality.

The script has several minor code quality issues flagged by Ruff:

• Line 48: Loop control variable i is not used within the loop body
• Line 80: Catching blind Exception is too broad
• Line 80: Variable e is assigned but never used

🔎 Apply this diff to address the warnings:

-for i in range(10):  # Read a few messages
+for _ in range(10):  # Read a few messages
     try:
         msg = ws.recv()
         data = json.loads(msg)
 
         if 'id' in data and data['id'] == 3:
             # This is our HTML response
             if 'result' in data and 'result' in data['result']:
                 html = data['result']['result']['value']
 
                 # Search for Early Hints debug comments
                 if 'Early Hints' in html:
                     print("🎉 Found Early Hints debug comments in HTML!\n")
 
                     # Extract the comments
                     import re
                     matches = re.findall(r'<!--[\s\S]*?Early Hints[\s\S]*?-->', html)
                     for match in matches:
                         print(match)
                         print()
                     found_early_hints = True
                 else:
                     print("❌ No Early Hints debug comments found in HTML")
 
                 # Check for Link headers in the HTML head
                 if 'rel=preload' in html or 'rel="preload"' in html:
                     print("\n✅ Found preload links in HTML:")
                     preload_matches = re.findall(r'<link[^>]*rel=["\']preload["\'][^>]*>', html)
                     for link in preload_matches[:5]:
                         print(f"  {link}")
                 break
 
-    except Exception as e:
+    except (json.JSONDecodeError, websocket.WebSocketException):
         break

.controlplane/Dockerfile (1)

2-3: Ruby 3.4.6 is available but outdated; upgrade to 3.4.7 for security patches.

Ruby 3.4.6-slim is available on Docker Hub, but Ruby 3.4.7 was released in October 2025 with a critical uri gem security fix (CVE-2025-61594). Update ARG RUBY_VERSION=3.4.7 to receive bug fixes and security updates. Gem compatibility should be verified with the project's Gemfile.lock to ensure all dependencies resolve correctly.

.controlplane/readme.md (1)

164-174: Clarify the relationship between Procfile and Dockerfile CMD.

The section shows a Procfile example (lines 167-169) and immediately states that "The Procfile is ignored" on Control Plane (line 171). This juxtaposition could confuse readers about why the Procfile is being shown.

Consider restructuring to reduce confusion:

🔎 Suggested improvement

-### Important: Dockerfile vs Procfile
+### Important: Dockerfile vs Procfile (Heroku Migration Note)
 
-**On Heroku:** The `Procfile` defines how dynos start:
+**Why this matters:** If you're migrating from Heroku, note that the startup mechanism differs:
+
+**Heroku (Procfile-based):**

web: bundle exec thrust bin/rails server

-**On Control Plane/Kubernetes:** The `Dockerfile CMD` defines how containers start. The Procfile is ignored.
+**Control Plane/Kubernetes (Dockerfile-based):**
+The Dockerfile CMD defines how containers start. **Procfiles are ignored** by Control Plane.
+Ensure your `.controlplane/Dockerfile` has the correct CMD (shown above).

-This is a common source of confusion when migrating from Heroku. Always ensure your Dockerfile CMD matches your intended startup command.
+This distinction is a common source of confusion when migrating from Heroku.

docs/thruster.md (1)

1-337: Optional: Consider adding language identifiers to code blocks.

Static analysis tools flag several code blocks that lack language identifiers (lines 44, 49, 54, 59, 64, 125, 137, 211, 276, 281). While this doesn't affect functionality, adding identifiers like bash or text would improve syntax highlighting and accessibility. This is purely a documentation quality improvement, not a blocking issue.

Example improvements

-```
+```text
 web: bundle exec thrust bin/rails server

- +text
[thrust] Starting Thruster HTTP/2 proxy
[thrust] Proxying to http://localhost:3000

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 80df3b549e7fee0d60c1f0a6919880f3852eb869 and d0fc8d13b7a45bdc6c8d678372a0521e31c0d8fb.

</details>

<details>
<summary>⛔ Files ignored due to path filters (2)</summary>

* `Gemfile.lock` is excluded by `!**/*.lock`
* `yarn.lock` is excluded by `!**/yarn.lock`, `!**/*.lock`

</details>

<details>
<summary>📒 Files selected for processing (30)</summary>

* `.controlplane/Dockerfile` (3 hunks)
* `.controlplane/readme.md` (1 hunks)
* `.controlplane/release_script.sh` (1 hunks)
* `.controlplane/templates/app.yml` (1 hunks)
* `.controlplane/templates/rails.yml` (1 hunks)
* `.github/workflows/js_test.yml` (1 hunks)
* `.github/workflows/lint_test.yml` (1 hunks)
* `.github/workflows/rspec_test.yml` (1 hunks)
* `.ruby-version` (1 hunks)
* `Gemfile` (2 hunks)
* `Procfile` (1 hunks)
* `Procfile.dev` (1 hunks)
* `Procfile.dev-prod-assets` (1 hunks)
* `Procfile.dev-static` (1 hunks)
* `Procfile.dev-static-assets` (1 hunks)
* `README.md` (3 hunks)
* `check_early_hints.js` (1 hunks)
* `check_early_hints.py` (1 hunks)
* `client/app/bundles/comments/components/Footer/ror_components/Footer.jsx` (2 hunks)
* `config/initializers/react_on_rails.rb` (1 hunks)
* `config/shakapacker.yml` (2 hunks)
* `config/webpack/development.js` (2 hunks)
* `docs/chrome-mcp-server-setup.md` (1 hunks)
* `docs/early-hints-investigation.md` (1 hunks)
* `docs/thruster.md` (1 hunks)
* `docs/verify-early-hints-manual.md` (1 hunks)
* `docs/why-curl-doesnt-show-103.md` (1 hunks)
* `package.json` (1 hunks)
* `spec/rails_helper.rb` (1 hunks)
* `spec/support/driver_registration.rb` (2 hunks)

</details>

<details>
<summary>✅ Files skipped from review due to trivial changes (2)</summary>

* .ruby-version
* .github/workflows/lint_test.yml

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (8)</summary>

* package.json
* .controlplane/release_script.sh
* .controlplane/templates/app.yml
* Procfile.dev
* check_early_hints.js
* client/app/bundles/comments/components/Footer/ror_components/Footer.jsx
* Procfile.dev-static
* Gemfile

</details>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>🧬 Code graph analysis (1)</summary>

<details>
<summary>config/webpack/development.js (2)</summary><blockquote>

<details>
<summary>config/webpack/client.js (1)</summary>

* `require` (4-4)

</details>
<details>
<summary>config/webpack/server.js (1)</summary>

* `require` (4-4)

</details>

</blockquote></details>

</details><details>
<summary>🪛 LanguageTool</summary>

<details>
<summary>docs/early-hints-investigation.md</summary>

[grammar] ~129-~129: Ensure spelling is correct
Context: ...ered successfully: - **Best case**: 100-200ms improvement on slow connections - **Com...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~156-~156: Ensure spelling is correct
Context: ...ent - Gain minimal performance benefit (<200ms in best case)  **Cost-benefit analysis*...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~187-~187: Use a hyphen to join words.
Context: ...st.send_early_hints` support) - ✅ HTTP/2 capable server (Puma 5+, Thruster, nginx...

(QB_NEW_EN_HYPHEN)

</details>
<details>
<summary>docs/verify-early-hints-manual.md</summary>

[style] ~136-~136: Try using a synonym here to strengthen your wording.
Context: ...t working, you'd see:  1. No HTML debug comments about early hints 2. No Link headers in...

(COMMENT_REMARK)

</details>

</details>
<details>
<summary>🪛 markdownlint-cli2 (0.18.1)</summary>

<details>
<summary>docs/chrome-mcp-server-setup.md</summary>

22-22: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

46-46: Bare URL used

(MD034, no-bare-urls)

---

110-110: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

174-174: Bare URL used

(MD034, no-bare-urls)

---

222-222: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

227-227: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

232-232: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

237-237: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

242-242: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>docs/thruster.md</summary>

44-44: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

49-49: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

54-54: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

64-64: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

125-125: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

137-137: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

211-211: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

276-276: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

281-281: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>.controlplane/readme.md</summary>

167-167: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

185-185: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

260-260: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

266-266: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>docs/early-hints-investigation.md</summary>

38-38: Bare URL used

(MD034, no-bare-urls)

---

48-48: Bare URL used

(MD034, no-bare-urls)

---

80-80: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

100-100: Blank line inside blockquote

(MD028, no-blanks-blockquote)

</details>
<details>
<summary>docs/verify-early-hints-manual.md</summary>

8-8: Bare URL used

(MD034, no-bare-urls)

---

18-18: Bare URL used

(MD034, no-bare-urls)

---

26-26: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

27-27: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

35-35: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

76-76: Bare URL used

(MD034, no-bare-urls)

---

122-122: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

146-146: Dollar signs used before commands without showing output

(MD014, commands-show-output)

</details>
<details>
<summary>docs/why-curl-doesnt-show-103.md</summary>

12-12: Dollar signs used before commands without showing output

(MD014, commands-show-output)

---

43-43: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>
<details>
<summary>🪛 Ruff (0.14.8)</summary>

<details>
<summary>check_early_hints.py</summary>

48-48: Loop control variable `i` not used within loop body

Rename unused `i` to `_i`

(B007)

---

80-80: Do not catch blind exception: `Exception`

(BLE001)

---

80-80: Local variable `e` is assigned to but never used

Remove assignment to unused variable `e`

(F841)

</details>

</details>

</details>

<details>
<summary>🔇 Additional comments (18)</summary><blockquote>

<details>
<summary>.github/workflows/rspec_test.yml (1)</summary><blockquote>

`17-17`: **Ruby version update looks good.**

The update to Ruby 3.4.6 is consistent with the changes in `js_test.yml` and the repository-wide Ruby version bump. Please ensure the verification of Ruby 3.4.6 availability (as requested in the `js_test.yml` review) passes successfully.

</blockquote></details>
<details>
<summary>.github/workflows/js_test.yml (1)</summary><blockquote>

`17-17`: **Ruby 3.4.6 is available and stable for CI environments.**

Ruby 3.4.6 has been released as a routine update that includes bug fixes. The release fixes important bugs including issues with the Prism compiler, ruby2_keywords, regular expression matching, and file path handling on Windows, aiming to improve stability and compatibility. The version is widely available in CI environments, including Heroku and ruby-build.

</blockquote></details>
<details>
<summary>spec/rails_helper.rb (1)</summary><blockquote>

`71-79`: **Driver configuration is correct and properly uses the --headless=new flag for Chrome 109+.**

The custom `:headless_chrome` driver is consistently applied across default, JavaScript, and system specs. The implementation explicitly includes the `--headless=new` flag (line 36 of driver_registration.rb) as documented. The configuration correctly avoids Capybara's built-in `:selenium_chrome_headless` driver which uses the older headless mode.

Ensure the test environment is running Chrome 109 or later to support the `--headless=new` flag.

</blockquote></details>
<details>
<summary>config/shakapacker.yml (2)</summary><blockquote>

`31-31`: **LGTM! Clearer protocol specification.**

The change from `https: false` to `server: http` is more explicit and aligns with modern Shakapacker configuration patterns.

---

`66-70`: **Early hints configuration is supported in Shakapacker 9.3.3.**

The configuration is correct and ready for production. Setting debug to true during initial rollout is appropriate for monitoring hint delivery.

</blockquote></details>
<details>
<summary>.controlplane/templates/rails.yml (1)</summary><blockquote>

`23-24`: **LGTM! Helpful clarification on protocol handling.**

The inline comments effectively explain the protocol configuration in the context of Thruster HTTP/2 proxy integration, preventing potential confusion about why the protocol remains 'http'.

</blockquote></details>
<details>
<summary>config/webpack/development.js (2)</summary><blockquote>

`6-6`: **LGTM! Proper destructuring for bundler detection.**

Adding `config` to the destructuring is necessary for the rspack compatibility check below.

---

`16-28`: **LGTM! Correct conditional handling for rspack compatibility.**

The conditional logic properly excludes ReactRefreshWebpackPlugin when using rspack, which is appropriate since the plugin is not compatible with rspack. The implementation is clean and well-commented.

</blockquote></details>
<details>
<summary>config/initializers/react_on_rails.rb (1)</summary><blockquote>

`9-12`: **LGTM! Ensures locale generation before asset compilation.**

Chaining locale generation before the production build ensures that i18n assets are available during asset compilation, preventing potential runtime errors.

</blockquote></details>
<details>
<summary>.controlplane/Dockerfile (2)</summary><blockquote>

`63-77`: **LGTM! Improved SECRET_KEY_BASE handling for security.**

Using `SECRET_KEY_BASE=precompile_placeholder` inline for asset compilation steps instead of persisting it in the ENV is a security improvement. This ensures the placeholder is only available during the build process and not in the final image.

---

`85-86`: **LGTM! Thruster integration aligns with PR objectives.**

The updated CMD to use Thruster (`bundle exec thrust bin/rails server`) aligns with the PR's goal of enabling HTTP/2 and early hints support.

</blockquote></details>
<details>
<summary>Procfile.dev-prod-assets (1)</summary><blockquote>

`2-2`: **LGTM! Consistent Thruster integration.**

The update to use `bundle exec thrust bin/rails server -p 3001` is consistent with the broader Thruster HTTP/2 proxy integration across all Procfiles in this PR.

</blockquote></details>
<details>
<summary>Procfile (1)</summary><blockquote>

`1-1`: **LGTM! Thruster integration for production.**

The update to use `bundle exec thrust bin/rails server` enables HTTP/2 and early hints support in production, aligning with the PR objectives.

</blockquote></details>
<details>
<summary>Procfile.dev-static-assets (1)</summary><blockquote>

`2-2`: **LGTM: Thruster integration is consistent.**

The update to use `bundle exec thrust bin/rails server` aligns with the Thruster HTTP/2 proxy integration documented throughout the PR. This change is consistent with similar updates in other Procfiles.

</blockquote></details>
<details>
<summary>docs/chrome-mcp-server-setup.md (1)</summary><blockquote>

`260-293`: **LGTM: Playwright CDP implementation is correct.**

The code correctly uses the Chrome DevTools Protocol (CDP) to detect HTTP 103 Early Hints via `Network.responseReceivedEarlyHints` events. The note at lines 260-263 properly explains why `page.on('response')` cannot capture 1xx informational responses. This addresses the previous review feedback appropriately.

</blockquote></details>
<details>
<summary>README.md (1)</summary><blockquote>

`216-251`: **LGTM: Thruster documentation is well-integrated.**

The Thruster HTTP/2 Proxy section provides a clear, concise overview with appropriate links to detailed documentation. The content is consistent with the comprehensive docs/thruster.md file and properly positions Thruster as a key technology in the stack.

</blockquote></details>
<details>
<summary>docs/thruster.md (1)</summary><blockquote>

`298-315`: **LGTM: Shakapacker Early Hints configuration properly documented.**

The Shakapacker Early Hints configuration section addresses the previous review feedback by documenting how to enable early hints in `config/shakapacker.yml`. The explanation clearly connects Shakapacker's Link headers with Thruster's HTTP/2 optimization capabilities.

</blockquote></details>
<details>
<summary>docs/early-hints-investigation.md (1)</summary><blockquote>

`93-103`: **External reference is accessible and provides reliable context.**

The island94.org blog post documents production testing showing that major websites (GitHub, Google, Shopify, Basecamp) do not serve 103 Early Hints, confirming the information cited in your documentation is accurate. The reference remains current and accessible; however, consider maintaining a snapshot or documenting the key findings in case the external source becomes unavailable in the future.

</blockquote></details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Overview

This PR adds comprehensive HTTP/2 and early hints support through Thruster integration and Shakapacker configuration. The implementation is well-documented and thoroughly tested.

✅ Strengths

1. Comprehensive Documentation

• Excellent documentation in docs/thruster.md explaining Thruster integration, configuration, and troubleshooting
• Added Control Plane-specific guidance in .controlplane/readme.md with clear architecture diagrams
• Multiple verification guides for testing early hints functionality
• Clear explanations of why certain configurations are needed (e.g., protocol: http vs protocol: http2)

2. Good Security Practices

• SECRET_KEY_BASE handling: Properly moved from ENV to inline usage during build, preventing secret exposure in Docker images
• Secrets only used during asset precompilation and not persisted
• Added placeholder guidance in Control Plane templates with instructions for production values

3. Thoughtful Implementation

• Ruby version upgrade (3.4.3 → 3.4.6) for latest stability
• Fixed Chrome headless mode for modern Chrome versions (using --headless=new)
• Extracted reusable SVG icon components in Footer.jsx to reduce duplication
• Added proper error handling in verification scripts

🔍 Issues & Concerns

HIGH PRIORITY

1. Dependency on Unreleased Code (Critical)

# Gemfile
gem "react_on_rails", "16.2.0.beta.20"

But Gemfile.lock shows:

GIT
  remote: https://github.com/shakacode/react_on_rails.git
  revision: b50a74d9045015479d2eb515adee5060963ec72d
  branch: master

Issue: The Gemfile specifies version 16.2.0.beta.20 but Gemfile.lock is using the GitHub master branch at a specific commit. This is inconsistent and problematic:

• Version mismatch between declaration and actual dependency
• Master branch is unstable and can change at any time
• Breaking changes on master will affect production deployments
• Violates semantic versioning principles
• Makes rollbacks and version tracking difficult

Recommendation:

• Either use a stable released version (preferred for production)
• OR update Gemfile to explicitly specify the GitHub source: gem "react_on_rails", github: "shakacode/react_on_rails", branch: "master"
• OR wait for beta.20 to be officially released

2. Shakapacker Version Inconsistency

# Gemfile
gem "shakapacker", "9.3.4.beta.0"

# Gemfile.lock
shakapacker (9.3.3)

Issue: The Gemfile requests beta version 9.3.4.beta.0 but Gemfile.lock resolved to stable 9.3.3. This suggests:

• The beta version doesn't exist or isn't available
• Should either use 9.3.3 explicitly or wait for 9.3.4

Recommendation: Update Gemfile to match what's actually installed:

gem "shakapacker", "9.3.3"

3. External Dependency Not in package.json

// check_early_hints.js:24
const WebSocket = require('ws');

Issue: The ws package is used but not declared in package.json dependencies. This will fail in CI/CD or fresh installations.

Recommendation: Add to package.json:

{
  "devDependencies": {
    "ws": "^8.0.0"
  }
}

MEDIUM PRIORITY

4. Hardcoded Timeout Values

// check_early_hints.js:39
setTimeout(() => { ... }, 500);

// check_early_hints.js:101
setTimeout(() => { ... }, 5000);

Issue: Magic numbers make the code harder to maintain and configure.

Recommendation: Extract to constants:

const CDP_INIT_DELAY = 500;
const CDP_TIMEOUT = 5000;

5. Error Handling Silently Ignores Errors

// check_early_hints.js:90-93
} catch (e) {
  // Ignore parse errors for other messages
}

Issue: Silent catch blocks can hide unexpected errors and make debugging difficult.

Recommendation: At minimum, log unexpected errors in debug mode:

} catch (e) {
  // Ignore parse errors for CDP protocol messages
  if (process.env.DEBUG) {
    console.error('Parse error:', e.message);
  }
}

6. Procfile.dev Redis Service Commented Out

# Procfile.dev:5
# redis: redis-server  # Run Redis as a system service instead

Issue: While the comment suggests running Redis as a system service, this creates an inconsistent developer experience:

• New developers won't know Redis is required
• No documentation about starting Redis before running the app
• Could lead to confusing "connection refused" errors

Recommendation: Either:

• Document Redis requirement in README.md
• OR add a healthcheck that provides a clear error message if Redis isn't running
• OR keep redis in the Procfile for consistent dev experience

7. Sleep Timers Increased Without Explanation

# Procfile.dev:9-10
wp-client: sleep 15 && ...
wp-server: sleep 15 && ...

Issue: Sleep times increased from 5s to 15s. While commit message mentions ensuring ReScript completes, this:

• Adds 15s delay to every dev server start
• Doesn't actually verify ReScript is done, just waits
• Could still fail on slower machines

Recommendation: Replace sleep with actual readiness checks:

wp-client: until [ -f .rescript-build-complete ]; do sleep 1; done && ...

And in rescript process:

rescript: yarn res:dev && touch .rescript-build-complete

LOW PRIORITY

8. Incomplete Test Checklist in PR Description

## Testing
- [ ] Verify that Shakapacker builds assets correctly.
- [ ] Confirm early hints are being served in production by inspecting network requests.

Issue: Checklist items are unchecked. Were these tests performed?

Recommendation: Update PR description with actual test results.

9. Dockerfile AS Casing Changed

# Before: FROM ... as base
# After:  FROM ... AS base

Issue: While this is more consistent with Docker best practices, it's cosmetic.

Note: This is actually good - uppercase AS is the documented standard.

🚀 Performance Considerations

Positive

• HTTP/2 multiplexing should provide 20-30% faster page loads ✅
• Brotli compression reduces bandwidth by 40-60% ✅
• Thruster's built-in asset caching reduces server load ✅

Concerns

• Development startup time: 15-second sleep delays are significant
• Docker image size: No optimization attempted (could multi-stage build cleanup be improved?)

🔒 Security Review

Good Practices ✅

• SECRET_KEY_BASE properly scoped to build-time only
• No secrets committed to repository
• Proper use of placeholder values in templates
• TLS configuration delegated to infrastructure layer

Recommendations

• Consider adding CSP headers if not already present
• Review CORS configuration with Thruster proxy
• Ensure Thruster's default security headers are appropriate

🧪 Test Coverage

What's Good

• Fixed Chrome headless mode for modern browsers
• Added verification scripts for early hints
• Test helper properly configured

Missing

• No automated tests for Thruster integration
• No tests verifying early hints are actually sent
• No tests for the new Footer component UI changes
• Check_early_hints.js script isn't integrated into CI

Recommendation: Add system tests that verify:

RSpec.describe "Early Hints", type: :system do
  it "sends early hints for assets" do
    # Test implementation here
  end
end

📝 Code Quality

Good Practices

• Extracted icon components (DRY principle)
• Clear naming conventions
• Comprehensive inline documentation
• RuboCop line length violation fixed

Minor Issues

• Some files mix tabs/spaces (Dockerfile)
• Could benefit from PropTypes in Footer.jsx
• Python script has inconsistent string quotes

🎯 Recommendations Summary

Must Fix Before Merge

1. Resolve react_on_rails version inconsistency (Gemfile vs Gemfile.lock)
2. Fix shakapacker version mismatch (9.3.4.beta.0 vs 9.3.3)
3. Add 'ws' package to package.json

Should Fix

4. Document Redis requirement for development
5. Replace sleep delays with proper readiness checks
6. Add proper error handling to check_early_hints.js
7. Add tests for early hints functionality

Nice to Have

8. Extract magic numbers to constants
9. Add PropTypes to Footer.jsx
10. Integrate verification scripts into CI pipeline

💭 Overall Assessment

This is a well-researched and thoroughly documented PR that adds valuable performance improvements. The Thruster integration is done correctly with proper understanding of the HTTP/2 architecture on Control Plane.

However, there are critical dependency management issues that must be resolved before merging. The inconsistency between Gemfile and Gemfile.lock, plus the missing npm dependency, could cause deployment failures.

Recommendation: Address the HIGH priority issues, then this PR will be ready to merge.

---

Review completed with focus on production readiness and maintainability. Let me know if you'd like me to elaborate on any points!

[claude]

Pull Request Review: Enable Shakapacker Early Hints

Overall Assessment

This PR introduces HTTP/2 Early Hints support through Thruster proxy and updates Ruby version. The changes are well-structured with comprehensive documentation, but there are several concerns that need addressing.

---

🔴 Critical Issues

1. Security: Hardcoded Placeholder Secrets

Location: .controlplane/Dockerfile:69, 75-76, release_script.sh:19, .controlplane/templates/app.yml:25

Issue: The PR uses SECRET_KEY_BASE=precompile_placeholder in multiple places. While this is acceptable for build-time asset compilation (where the secret isn't actually used), the template in app.yml has a concerning comment:

value: 'placeholder_secret_key_base_for_test_apps_only'

Risk: If this is deployed to production without override, it creates a severe security vulnerability.

Recommendation:

• Add explicit validation in entrypoint.sh to fail if SECRET_KEY_BASE matches known placeholder values in production
• Update documentation to emphasize this MUST be overridden before production deployment
• Consider using Rails' built-in credentials system instead

2. Dependency on Beta/Branch Packages

Location: Gemfile:8-9, package.json:95

Issue: The PR description mentions updating to use shakapacker from justin808/early-hints branch, but the actual Gemfile shows:

gem "shakapacker", "9.3.4.beta.0"

Concerns:

• Beta versions in production can introduce instability
• The PR description doesn't match the actual changes (branch vs beta version)
• No clear upgrade path to stable release documented

Recommendation:

• Clarify the actual shakapacker source being used
• Document the upgrade plan to stable releases
• Add monitoring for any beta-related issues

3. Potential Docker Build Cache Issues

Location: .controlplane/Dockerfile:75-77

Issue: Asset compilation happens in the final stage with SECRET_KEY_BASE=precompile_placeholder. If the secret changes, Docker won't rebuild this layer.

Risk: Stale assets could be used if configuration changes.

Recommendation:

• Move asset compilation to the build stage OR
• Add cache-busting mechanism tied to git commit SHA

---

⚠️ High Priority Issues

4. Package.json Version Mismatch

Location: package.json:95

Issue: package.json shows "shakapacker": "9.3.3" but Gemfile.lock shows 9.3.4.beta.0. This inconsistency can cause confusion.

Recommendation: Update package.json to match or document why versions differ.

5. Missing PropTypes Validation

Location: client/app/bundles/comments/components/Footer/ror_components/Footer.jsx:5-33

Issue: Icon components accept className and color props but have no PropTypes validation.

Code Quality: While functional, this reduces type safety and developer experience.

Recommendation:

import PropTypes from 'prop-types';

const CheckmarkIcon = ({ className = 'w-4 h-4', color = 'text-green-400' }) => (
  // ... implementation
);

CheckmarkIcon.propTypes = {
  className: PropTypes.string,
  color: PropTypes.string,
};

6. Procfile.dev Sleep Time Increased Without Justification

Location: Procfile.dev:9-10

Change: Sleep time increased from 5 to 15 seconds.

Issue: This adds 10 seconds to every development startup. Comment says "Increased sleep time to ensure rescript initial build completes" but doesn't explain why 5 seconds was insufficient.

Recommendation:

• Use proper wait/polling mechanism instead of arbitrary sleep
• If sleep is necessary, add detailed comment explaining the race condition
• Consider using wait-on npm package for more reliable synchronization

7. Commented Out Redis in Procfile.dev

Location: Procfile.dev:5

Issue: Redis line is commented with instruction to run as system service, but this breaks the "just run foreman start" developer experience.

Impact: New developers will encounter errors when Redis connections fail.

Recommendation:

• Either keep Redis in Procfile OR
• Update README setup instructions to explicitly require Redis system service
• Add health check that provides clear error message if Redis isn't running

---

📊 Performance Considerations

8. Early Hints Configuration

Location: config/shakapacker.yml:67-70

Positive: Early hints are enabled with debug mode.

Concern: Debug mode adds HTML comments to every response. This should be disabled in production.

Recommendation:

production:
  early_hints:
    enabled: true
    debug: <%= ENV['EARLY_HINTS_DEBUG'] == 'true' %>  # Control via env var

9. Thruster Configuration Missing

Issue: No config/thruster.yml or configuration file for Thruster settings.

Impact: Running with defaults may not be optimal for this application's needs.

Recommendation: Add explicit Thruster configuration documenting cache settings, timeouts, etc.

---

🔍 Code Quality Issues

10. Duplicate Configuration in Footer.jsx

Location: Footer.jsx:5-33

Issue: Three similar icon components with only minor differences.

Better Approach:

const Icon = ({ type, className = 'w-4 h-4', color = 'text-green-400' }) => {
  const paths = {
    checkmark: "M16.707 5.293a1 1 0 010 1.414...",
    checkmarkCircle: "M10 18a8 8 0 100-16...",
    info: "M18 10a8 8 0 11-16 0..."
  };
  
  return (
    <svg className={`${className} ${color}`} fill="currentColor" viewBox="0 0 20 20">
      <path fillRule="evenodd" d={paths[type]} clipRule="evenodd" />
    </svg>
  );
};

11. Inconsistent Stage Naming in Dockerfile

Location: .controlplane/Dockerfile:3, 35

Change: Added AS keyword (uppercase) for stage naming.

Issue: While correct, the change from lowercase as to uppercase AS is inconsistent with the original style.

Impact: Minor, but best practices suggest consistency.

12. Ruby Version Update Justification

Location: .ruby-version, Gemfile, GitHub workflows

Change: Ruby 3.4.3 → 3.4.6

Issue: PR description doesn't mention Ruby version update. This could be a security patch, but it's unclear.

Recommendation: Document reason for Ruby version bump (security, performance, bug fix?).

---

🧪 Test Coverage Concerns

13. No Tests for Early Hints Functionality

Issue: PR adds early hints feature but includes no automated tests.

Files Added: check_early_hints.js, check_early_hints.py are manual verification scripts, not automated tests.

Recommendation:

• Add RSpec system tests verifying early hints are sent in production mode
• Add integration tests for Thruster proxy functionality
• Consider adding tests to CI pipeline

14. Spec Helper Changes Need Tests

Location: spec/rails_helper.rb:71-79

Change: Reconfigured Capybara drivers with detailed comments.

Good: Clear documentation of driver setup.

Missing: No tests verify the new headless Chrome configuration works correctly.

---

📝 Documentation Review

15. Excellent Documentation Additions ✅

Files: docs/thruster.md, docs/early-hints-investigation.md, docs/verify-early-hints-manual.md, etc.

Positive: The PR adds extensive, well-written documentation explaining:

• Thruster setup and configuration
• Early hints verification procedures
• Troubleshooting guides
• Control Plane deployment considerations

This is exemplary work and should be the standard for all infrastructure changes.

16. README Updates ✅

Location: README.md:82-217

Good additions:

• Thruster section with clear benefits
• HTTP/2 configuration explained
• Links to detailed docs

Suggestion: Add a "Quick Start" section showing the one-command way to verify everything works.

---

🔒 Security Considerations

17. Early Hints Debug Mode Exposes Information

Location: config/shakapacker.yml:70

Risk: Debug mode adds HTML comments revealing:

• Asset paths and structure
• Preload hints configuration
• Potential internal implementation details

Severity: Low, but unnecessary information disclosure.

Recommendation: Ensure debug mode is disabled in production (see item #8).

18. External Link Security

Location: Footer.jsx:57-90

Good: All external links use rel="noopener noreferrer" ✅

This prevents reverse tabnabbing attacks. Well done!

---

✅ Positive Aspects

1. Comprehensive Documentation: Outstanding documentation in docs/ folder
2. Clear Git Commit Messages: The PR description clearly explains changes
3. Security Headers: External links properly secured with noopener noreferrer
4. Thoughtful Comments: Dockerfile includes helpful explanations
5. Production-Ready Approach: Shows understanding of deployment considerations
6. Control Plane Focus: Detailed CP-specific configuration and troubleshooting

---

📋 Action Items Summary

Must Fix Before Merge:

1. ✋ Add SECRET_KEY_BASE validation in production
2. ✋ Clarify shakapacker dependency source (beta vs branch)
3. ✋ Fix package.json shakapacker version mismatch
4. ✋ Document Redis requirement change in README
5. ✋ Disable early hints debug mode in production (or make it env-var controlled)

Should Fix:

6. Add PropTypes to icon components
7. Replace sleep with proper wait mechanism in Procfile.dev
8. Add automated tests for early hints
9. Refactor icon components to reduce duplication
10. Document Ruby version update reason

Nice to Have:

11. Add Thruster configuration file
12. Move asset compilation to build stage in Dockerfile
13. Add "Quick Start" section to README

---

Final Recommendation

Status: ⚠️ Approve with Required Changes

This PR demonstrates excellent engineering practices with thorough documentation and clear architectural decisions. However, the security concerns around SECRET_KEY_BASE and the beta dependency require resolution before production deployment.

The early hints implementation itself appears sound, and the Thruster integration follows best practices. Once the critical issues are addressed, this will be a valuable addition to the project.

Estimated effort to address critical issues: 2-4 hours

---

Great work on the documentation and implementation! The thoroughness of the docs/ additions sets a high bar. 🎉

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/verify-early-hints-manual.md (1)

29-30: Fix markdown formatting for consistency.

The document has several markdown lint violations that should be corrected for style consistency:

1. Lines 29 & 38: Option headers use **bold** instead of markdown heading syntax
2. Lines 30 & 125: Code blocks lack language identifiers for proper syntax highlighting
3. Line 149: Dollar sign before command without showing output

🔎 Apply these fixes:

-**Option A: Separate 103 Entry (Best Case)**
-```
+### Option A: Separate 103 Entry (Best Case)
+
+```shell
 Name                    Status    Protocol    Type
 /                       103       h2          early-hints
 /                       200       h2          document
-```
+```

-**Option B: Headers Tab (More Common)**
+### Option B: Headers Tab (More Common)

 Click on the main document request, then check the **Headers** tab. Look for:

-1. Open DevTools → Network tab
+1. Open DevTools → Network tab
 2. Load the page
 3. Right-click in the Network tab → **Save all as HAR with content**
 4. Save the file as `early-hints-test.har`
 5. Open the HAR file in a text editor
-6. Search for `"status": 103` to find early hints responses
+6. Search for `"status": 103` to find early hints responses

-   ```html
+   ```html
    <!-- Shakapacker Early Hints: HTTP/1.1 103 SENT -->
    <!--   Total Links: 2 -->
    <!--   Packs: generated/RouterApp, generated/NavigationBarApp, generated/Footer, stimulus-bundle -->
    <!--   CSS Packs: generated/RouterApp, generated/NavigationBarApp, generated/Footer, stimulus-bundle -->
    <!--   Headers: -->
    <!--     </packs/css/generated/RouterApp-f6749bde.css>; rel=preload; as=style; crossorigin="anonymous" -->
    <!--     </packs/css/stimulus-bundle-165ebf44.css>; rel=preload; as=style; crossorigin="anonymous" -->
    <!--   Note: Browsers only process the FIRST 103 response -->
    <!--   Note: Puma only supports HTTP/1.1 Early Hints (not HTTP/2) -->
-   ```
+   ```

-```bash
-# Verbose curl to see all HTTP frames
-curl -v --http2 https://YOUR-REVIEW-APP.cpln.app/ 2>&1 | less
+```bash
+# Verbose curl to see all HTTP frames
+curl -v --http2 https://YOUR-REVIEW-APP.cpln.app/ 2>&1 | less
-# Look for lines like:
-# < HTTP/2 103
-# < link: ...
-# < HTTP/2 200
-```
+# Look for lines like:
+# < HTTP/2 103
+# < link: ...
+# < HTTP/2 200
+```

-```bash
-$ curl https://YOUR-REVIEW-APP.cpln.app/ 2>&1 | grep -A5 "Early Hints"
-```
+```bash
+$ curl https://YOUR-REVIEW-APP.cpln.app/ 2>&1 | grep -A5 "Early Hints"
+<!-- Output: -->
+```

Also applies to: 38-38, 125-125, 149-149

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d0fc8d1 and 79f6d6b.

⛔ Files ignored due to path filters (2)

• Gemfile.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• docs/verify-early-hints-manual.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/verify-early-hints-manual.md

[style] ~139-~139: Try using a synonym here to strengthen your wording.
Context: ...t working, you'd see: 1. No HTML debug comments about early hints 2. No Link headers in...

(COMMENT_REMARK)

🪛 markdownlint-cli2 (0.18.1)

docs/verify-early-hints-manual.md

29-29: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

30-30: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

38-38: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

125-125: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

149-149: Dollar signs used before commands without showing output

(MD014, commands-show-output)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🔇 Additional comments (1)

docs/verify-early-hints-manual.md (1)

1-11: ✅ Previous review comment addressed properly.

The hardcoded PR review app URL has been successfully replaced with the YOUR-REVIEW-APP placeholder throughout the document. The note at lines 7–8 clearly instructs readers to substitute with their actual Control Plane URL, making this documentation reusable across PRs.