Enhance documentation: crystal clear changelog and configuration guide

justin808 · claude · justin808 · commit 870835f8f7c2 · 2025-09-22T17:06:31.000-10:00
CHANGELOG.md: - Document all new server bundle security features - Explain enhanced bundle path resolution with fallback logic - Document public_bundles_full_path method naming improvement - Clear categorization: New Features, API Improvements, Security Enhancements, Bug Fixes docs/guides/configuration.md: - Add comprehensive SERVER BUNDLE SECURITY AND ORGANIZATION section - Document server_bundle_output_path with clear examples and defaults - Explain enforce_private_server_bundles with security implications - Add BUNDLE ORGANIZATION EXAMPLES section with: * Clear client vs server bundle separation * Directory structure examples * API method references (public_bundles_full_path vs server_bundle_js_file_path) This documentation makes the new features crystal clear for users upgrading or configuring server bundle security for the first time. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,34 @@ After a release, please make sure to run `bundle exec rake update_changelog`. Th
 
 Changes since the last non-beta release.
 
+#### New Features
+
+- **Server Bundle Security**: Added new configuration options for enhanced server bundle security and organization:
+  - `server_bundle_output_path`: Configurable directory for server bundle output (default: nil, uses fallback locations)
+  - `enforce_private_server_bundles`: When enabled, ensures server bundles are only loaded from private directories outside the public folder (default: false for backward compatibility)
+
+- **Improved Bundle Path Resolution**: Enhanced bundle path resolution with better fallback logic that tries multiple locations when manifest lookup fails:
+  1. Environment-specific path (e.g., `public/webpack/test`)
+  2. Standard Shakapacker location (`public/packs`)
+  3. Generated assets path (for legacy setups)
+
+#### API Improvements
+
+- **Method Naming Clarification**: Added `public_bundles_full_path` method to clarify bundle path handling:
+  - `public_bundles_full_path`: New method specifically for webpack bundles in public directories
+  - `generated_assets_full_path`: Now deprecated (backwards-compatible alias)
+  - This eliminates confusion between webpack bundles and general Rails public assets
+
+#### Security Enhancements
+
+- **Private Server Bundle Enforcement**: When `enforce_private_server_bundles` is enabled, server bundles bypass public directory fallbacks and are only loaded from designated private locations
+- **Path Validation**: Added validation to ensure `server_bundle_output_path` points to private directories when enforcement is enabled
+
+#### Bug Fixes
+
+- **Non-Packer Environment Compatibility**: Fixed potential NoMethodError when using bundle path resolution in environments without Shakapacker
+- **Server Bundle Detection**: Improved server bundle detection to work correctly with both `server_bundle_js_file` and `rsc_bundle_js_file` configurations
+
 ### [16.0.1-rc.2] - 2025-09-20
 
 #### Bug Fixes
diff --git a/docs/guides/configuration.md b/docs/guides/configuration.md
@@ -129,17 +129,69 @@ ReactOnRails.configure do |config|
   # This manifest file is automatically generated by the React Server Components Webpack plugin. Only set this if you've configured the plugin to use a different filename.
   config.react_server_client_manifest_file = "react-server-client-manifest.json"
 
+  ################################################################################
+  # SERVER BUNDLE SECURITY AND ORGANIZATION
+  ################################################################################
+
   # Directory where server bundles will be output during build process.
   # This allows organizing server-side rendering assets separately from client assets.
-  # Default is nil (uses standard fallback locations). Set to "ssr-generated" or your preferred directory path.
-  # config.server_bundle_output_path = "ssr-generated"
+  #
+  # Default is nil, which uses standard fallback locations in this priority order:
+  #   1. Environment-specific path (e.g., public/webpack/test)
+  #   2. Standard Shakapacker location (public/packs)
+  #   3. Generated assets path (for legacy setups)
+  #
+  # Example configurations:
+  # config.server_bundle_output_path = "ssr-generated"     # Private directory (recommended)
+  # config.server_bundle_output_path = "app/assets/builds" # Custom private location
+  # config.server_bundle_output_path = nil                 # Use fallback locations (default)
+  config.server_bundle_output_path = nil
 
   # When enabled, enforces that server bundles are only loaded from private, designated locations
   # to prevent potential security risks from loading untrusted server-side code.
-  # When enabled, server_bundle_output_path must point to a private location outside the public directory.
+  #
+  # SECURITY IMPORTANT: When enabled, server bundles bypass public directory fallbacks
+  # and are only loaded from the configured server_bundle_output_path.
+  #
+  # Requirements when enabled:
+  #   - server_bundle_output_path must be set to a non-nil value
+  #   - server_bundle_output_path must point to a location outside the public directory
+  #   - Recommended for production environments where security is critical
+  #
   # Default is false for backward compatibility.
   config.enforce_private_server_bundles = false
 
+  ################################################################################
+  # BUNDLE ORGANIZATION EXAMPLES
+  ################################################################################
+  #
+  # This configuration creates a clear separation between client and server assets:
+  #
+  # CLIENT BUNDLES (Public, Web-Accessible):
+  #   Location: public/webpack/[environment]/ or public/packs/
+  #   Files: application.js, manifest.json, CSS files
+  #   Served by: Web server directly
+  #   Access: ReactOnRails::Utils.public_bundles_full_path
+  #
+  # SERVER BUNDLES (Private, Server-Only):
+  #   Location: ssr-generated/ (when server_bundle_output_path configured)
+  #   Files: server-bundle.js, rsc-bundle.js
+  #   Served by: Never served to browsers
+  #   Access: ReactOnRails::Utils.server_bundle_js_file_path
+  #
+  # Example directory structure with recommended configuration:
+  #   app/
+  #   ├── ssr-generated/           # Private server bundles
+  #   │   ├── server-bundle.js
+  #   │   └── rsc-bundle.js
+  #   └── public/
+  #       └── webpack/development/ # Public client bundles
+  #           ├── application.js
+  #           ├── manifest.json
+  #           └── styles.css
+  #
+  ################################################################################
+
   # `prerender` means server-side rendering
   # default is false. This is an option for view helpers `render_component` and `render_component_hash`.
   # Set to true to change the default value to true.
