Walkthrough

Consolidates license loading to use only the REACT_ON_RAILS_PRO_LICENSE environment variable, removes file-system-based loading and fs/path usage in the Node renderer, adds legacy config-file detection and migration notices in the Rails engine, and updates tests and documentation accordingly.

Changes

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped from file to env so free,
No hidden keys beneath a tree,
One token now, tidy and bright,
A migration nudge, gentle and light,
Hooray — simpler days in sight! ✨

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

size-limit report 📦

Greptile Summary

This PR removes the legacy file-based license configuration (config/react_on_rails_pro_license.key) and standardizes on environment variable only (REACT_ON_RAILS_PRO_LICENSE). Both Ruby and Node validators now exclusively read from the environment variable. Documentation has been updated throughout to reflect this change, and a runtime migration warning was added to alert users still using the legacy file approach.

Key Changes:

• Ruby validator: removed file reading logic from load_license_string
• Node validator: removed fs/path imports and file-based loading
• Engine: added legacy_license_file_present? check and migration warning
• Tests: removed file-based test scenarios and fs mocks
• Docs: updated LICENSE_SETUP.md, installation.md, updating.md, and CLAUDE.md
• Added TODO comment for removing migration warning after 16.5.0 stable

Issues Found:

• Test expectations in engine_spec.rb appear to be incorrect (lines 62-65 and 192-195)

Confidence Score: 4/5

• Safe to merge after fixing test expectations
• Implementation is clean and well-tested, but test expectations need correction to match actual behavior (single logger call vs two separate calls)
• react_on_rails_pro/spec/react_on_rails_pro/engine_spec.rb - fix test expectations for migration warnings

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[App Startup] --> B{License Status Check}
    B -->|Valid License| C[App Runs Normally]
    B -->|Missing License| D{Legacy File Exists?}
    D -->|Yes| E[Log Migration Warning]
    D -->|No| F[Log Missing License]
    E --> G{Environment}
    F --> G
    G -->|Production| H[Warn: License Violation]
    G -->|Dev/Test| I[Info: No License Required]
    H --> J[App Continues]
    I --> J
    B -->|Expired/Invalid| K[Log License Issue]
    K --> G
    
    style E fill:#ff9
    style H fill:#faa
    style I fill:#afa

_{Last reviewed commit: 4e09661}

PR Review: Remove Pro License Key-File Fallback

Overall, the goal of this PR is sound — simplifying the license loading path to env-var-only and adding a migration warning is the right approach. The Ruby implementation in engine.rb and the documentation updates are clean. However, there are issues that need addressing before merging.

Critical: Test Expectations Are Wrong (engine_spec.rb)

The two new spec contexts (when legacy license file exists) have incorrect message expectations that will cause test failures.

The problem: log_legacy_license_migration_notice emits a single Rails.logger.warn (or info) call containing both "legacy license file" and "REACT_ON_RAILS_PRO_LICENSE" in one message. But the tests set up two separate receive expectations:

expect(mock_logger).to receive(:warn).with(/legacy license file/)       # expects call #1
expect(mock_logger).to receive(:warn).with(/REACT_ON_RAILS_PRO_LICENSE/) # expects call #2
described_class.log_license_status

What actually happens when log_license_status runs in the missing-license production context:

• Call 1: Migration notice — "[React on Rails Pro] Detected legacy license file at …, but this file is no longer read. Move your token to REACT_ON_RAILS_PRO_LICENSE." — satisfies the first expectation (/legacy license file/).
• Call 2: License issue — "[React on Rails Pro] No license found. Using React on Rails Pro…" — does not match /REACT_ON_RAILS_PRO_LICENSE/, so the second expectation is never satisfied.

Result: warn expected 1 time with arguments matching /REACT_ON_RAILS_PRO_LICENSE/ but received 0 times.

The same problem affects the development context with info calls.

Fix: Combine into a single expectation that matches the full migration notice, and use allow or receive (without with) for the other warn/info calls:

it "logs migration warning" do
  expect(mock_logger).to receive(:warn)
    .with(/Detected legacy license file.*REACT_ON_RAILS_PRO_LICENSE/m)
  allow(mock_logger).to receive(:warn)  # allow the license-issue warning
  described_class.log_license_status
end

Or, if you want to verify both messages separately, use ordered expectations and match each call's actual content.

Minor: Empty #### Pro Section in CHANGELOG

The diff adds a bare #### Pro heading under [Unreleased] with no content beneath it. If this is a placeholder, it should have at least a single line (e.g., a reference to this PR's change). Otherwise it should be omitted — an empty subsection will confuse changelog readers.

Minor: Node.js Side Has No Migration Warning

The Ruby Engine now logs a migration notice when the legacy key file is detected. The Node licenseValidator.ts was symmetrically simplified (file-reading code removed), but there is no equivalent Node-side warning. A user running the Node renderer in a setup where only the legacy file exists will just receive a silent 'missing' status from Node, while only the Ruby side explains why.

This is acceptable if the intent is to rely solely on the Ruby warning, but it's worth documenting explicitly (the current PR description implies both sides warn).

Nitpick: Redundant || undefined in TypeScript

return envLicense || undefined;

Since envLicense is already string | undefined (empty string is falsy), this is fine logically, but || undefined adds noise. envLicense being "" and returning undefined is the intended behavior — just worth a brief comment explaining the falsy-string edge case, since it's not obvious.

What's Good

• The Ruby load_license_string simplification is clean and correct.
• The legacy_license_file_present? detection logic and the log_legacy_license_migration_notice implementation are solid.
• private_constant :LEGACY_LICENSE_FILE with the dated TODO comment is a good practice.
• Removing the file-read fallback from license_validator.rb and its corresponding specs is done correctly.
• Documentation updates across LICENSE_SETUP.md, installation.md, updating.md, and CLAUDE.md are clear and accurate.
• The deprecation policy section added to updating.md is a useful governance addition.

Review: Remove Pro license key-file fallback

The overall direction of this PR is good — removing the file-based fallback simplifies the license loading path and the migration warning is a thoughtful addition. A few issues worth addressing before merging:

Breaking change missing from CHANGELOG

The #### Pro section added under [Unreleased] is empty. Removing the config/react_on_rails_pro_license.key fallback is a breaking change for any user relying on that file. It needs a changelog entry, e.g.:

#### Pro

- **Breaking**: Removed file-based license key fallback (`config/react_on_rails_pro_license.key`). License must now be configured via the `REACT_ON_RAILS_PRO_LICENSE` environment variable. See the [migration guide](react_on_rails_pro/docs/updating.md) for details.

Node.js side has no migration warning

engine.rb logs a warning when the legacy key file is detected but no env var is set. The Node.js licenseValidator.ts has no equivalent. If a user runs only a Node renderer (no Ruby startup), they'll get a silent "missing" status with no hint about the renamed approach. This is an asymmetry worth noting, even if fixing it is deferred.

Minor: load_license_string redundant nil guard

ENV.fetch("REACT_ON_RAILS_PRO_LICENSE", nil) already returns nil when unset; license && in license if license && \!license.strip.empty? is harmless but redundant. Could simplify to license unless license.nil? || license.strip.empty? — though this is purely stylistic.

Review: Remove Pro license key-file fallback

Overall this is a clean, well-scoped change with good rationale. The env-var-only approach is simpler, more secure, and consistent with modern deployment practices. The migration notice and deprecation policy doc are thoughtful additions.

Positive highlights

• Removing filesystem-based license loading reduces attack surface (no symlink/path traversal risks on the license file path).
• The double-checked locking pattern in LicenseValidator is preserved and correct.
• Algorithm pinning (RS256) on JWT verification remains in both Ruby and Node validators — good.
• The private_constant on LEGACY_LICENSE_FILE is appropriate.
• The TODO with a concrete version + date target (16.5.0 / 2026-05-31) is better than an open-ended one.

Issues

1. Test coverage gap in the legacy-file warning contexts (engine_spec.rb)

The new nested contexts only assert the migration message was warned/info'd, but don't verify that the primary log_license_issue call (/No license found/) is also still emitted. Both assertions target patterns that match the single migration notice message — the second warn call from log_license_issue goes unchecked. If someone accidentally removed the log_license_issue call after the guard, these tests would still pass.

Suggested addition to each new context:

expect(mock_logger).to have_received(:warn).with(/No license found/)  # production context
# or
expect(mock_logger).to have_received(:info).with(/No license found/)  # dev context

2. Migration warning silently skipped for expired/invalid licenses

log_legacy_license_migration_notice is only triggered under the :missing branch. A user who placed the wrong token in the env var (so status is :invalid) while still having the legacy file present will not receive the migration notice. This may be intentional — they have the env var configured, just with a bad value — but it is worth an explicit comment in the code (or a broader guard) so the decision is clear to future maintainers.

3. Minor: redundant || undefined in TypeScript

return envLicense || undefined;

envLicense is already string | undefined. The || undefined correctly coerces the empty-string case to undefined, but the intent isn't obvious at a glance. A comment or a more explicit form (e.g., return envLicense || undefined /* coerce empty string */) would help readers understand why the original if (envLicense) { return envLicense; } pattern was simplified this way.

4. license_task_formatter.rb — missing migration hint

The now-removed line puts "or place a key file at config/react_on_rails_pro_license.key" was replaced with nothing. If a user runs the license Rake task and sees only No license found. Set REACT_ON_RAILS_PRO_LICENSE, they get no hint that they may have a legacy file that's being ignored. Consider adding a check there similar to the engine migration notice, or at minimum a note in the formatter output.

PR Review: Remove Pro license key-file fallback

Overall this is a clean, well-structured change. The env-var-only approach is simpler and more secure, the migration notice in the engine is appropriately scoped by environment, and the Ruby/Node implementations are kept in sync. A few issues worth addressing before merge:

Bug: Stale Rails.root stub in license_task_formatter_spec.rb

license_task_formatter_spec.rb (not modified in this PR) still has:

let(:mock_root) { instance_double(Pathname, join: config_file_path) }
let(:config_file_path) { instance_double(Pathname, exist?: false) }
# ...
allow(Rails).to receive(:root).and_return(mock_root)

Since LicenseValidator no longer calls Rails.root at all, this stub and its related let declarations are now dead code. They should be removed alongside this PR's changes to keep the spec clean and avoid misleading future readers.

UX gap: rake verify_license task misses the migration hint

LicenseTaskFormatter now only prints:

No license found. Set REACT_ON_RAILS_PRO_LICENSE

But if a developer has the legacy config/react_on_rails_pro_license.key and runs rake react_on_rails_pro:verify_license, they will see that message without any indication that their existing key file is being ignored. The engine initializer does log a migration warning, but the rake task output is often the first place a developer looks when debugging license issues. Consider surfacing the same legacy-file hint in LicenseTaskFormatter (e.g., accepting an optional legacy_file_present: flag from the rake task caller).

Minor: redundant test assertions match the same warn call

In engine_spec.rb, for the legacy-file-present contexts:

expect(mock_logger).to have_received(:warn).with(/legacy license file/)
expect(mock_logger).to have_received(:warn).with(/REACT_ON_RAILS_PRO_LICENSE/)

Both patterns are matched by the single warn call from log_legacy_license_migration_notice. have_received(:warn).with checks that at least one call matched the pattern, so both assertions can pass against the same invocation. A single assertion with a combined pattern (e.g., /legacy license file.*REACT_ON_RAILS_PRO_LICENSE/m) or an exactly(1).times guard would more precisely express the intent and catch future regressions if one portion of the message is removed.

Review Notes

The overall approach is sound: dropping file-based license loading simplifies the codebase, reduces the attack surface, and the runtime migration notice is a good UX touch for users who haven't migrated yet. A few things worth addressing before merge:

Missing CHANGELOG entry

This PR introduces a breaking change for any users still relying on config/react_on_rails_pro_license.key. The PR description says it removes an existing changelog bullet as "non-compliant", but doesn't add a replacement entry. Given the project's documented practice (see the [Unreleased] section in CHANGELOG.md), a brief #### Breaking Changes or #### Changed (Pro) entry for 16.4.0 should document this removal and point readers to the migration note in docs/updating.md.

TODO without an issue reference (engine.rb:8)

# TODO: Remove this legacy migration warning path after 16.5.0 stable release (target: 2026-05-31).

Date-anchored TODOs tend to get missed. Linking to a GitHub issue (e.g., # TODO: Remove ... See #XXXX) would make follow-through easier to track.

Missing negative test: env var set + legacy file present

The new engine specs test that the migration notice fires when the file is detected and the env var is absent. But there's no test confirming the notice is suppressed when the env var is valid and the legacy file also exists — which is the "happy migration path" many users will hit. Without this test, a regression where the notice fires unconditionally would go undetected.

Spec assertions match a single warn call twice

In engine_spec.rb (production context), the new test does:

expect(mock_logger).to have_received(:warn).with(/legacy license file/)
expect(mock_logger).to have_received(:warn).with(/REACT_ON_RAILS_PRO_LICENSE/)

Both patterns are satisfied by the same single warn call (the migration notice message contains both substrings). This works correctly, but gives the appearance of verifying two distinct log lines. A single assertion with a combined regex — or a comment noting they target the same message — would make the test intent clearer.

TypeScript: return envLicense || undefined is benign but slightly surprising

const envLicense = process.env.REACT_ON_RAILS_PRO_LICENSE?.trim();
return envLicense || undefined;

envLicense is already string | undefined, so an empty string ("") after trim goes through || undefined → undefined. This is correct. The pattern is slightly unusual; return envLicense || undefined is equivalent to just return envLicense || undefined but could also be written as return envLicense ? envLicense : undefined to make the empty-string case more explicit. Minor style point, not a bug.

Review Summary

Overall the PR is clean and well-structured. The approach of env-var-only validation (removing the file fallback) is the right direction, and the runtime migration warning with a TODO-with-date is good practice. A few items to address:

Must Fix

Missing CHANGELOG entry. This is a breaking change: users relying on config/react_on_rails_pro_license.key will silently get a missing license status after upgrading. The PR description says it removes a "non-compliant" unreleased bullet but never adds a compliant replacement. Per the project's conventions, a Pro ##### Breaking Changes entry is needed in the [Unreleased] section:

- **Removed legacy key-file license fallback**: `config/react_on_rails_pro_license.key` is no longer read.
  Move your token to the `REACT_ON_RAILS_PRO_LICENSE` environment variable.
  A migration warning is logged at startup when the legacy file is detected without the env var set.
  [PR 2454](https://github.com/shakacode/react_on_rails/pull/2454) by [ihabadham](https://github.com/ihabadham).

Migration hint missing from rake task output. The react_on_rails_pro:verify_license rake task prints its status directly to stdout via LicenseTaskFormatter, bypassing Rails.logger. When a user runs the task and the legacy file is present but the env var is not set, the stdout output just says "No license found. Set REACT_ON_RAILS_PRO_LICENSE" — with no mention of the legacy file. The engine-initializer migration warning only reaches the Rails log, which a CI pipeline checking rake exit codes may never surface. Consider echoing the migration hint from within print_status_line too (it has access to no file-system context currently — it could be passed in as a flag, or the rake task itself could check and prepend a line).

Already Flagged by Other Reviewers (Agree)

• TypeScript caching sentinel (CodeRabbit): cachedLicenseOrganization and cachedLicensePlan use undefined as both the uninitialised sentinel and the "computed but not found" value, so JWT re-verification runs on every call when the license is missing/invalid. The sentinel-symbol fix CodeRabbit suggested is the right approach.
• Redundant allow stubs in engine_spec (CodeRabbit): mock_logger is already fully stubbed by instance_double(Logger, warn: nil, info: nil), so the extra allow(mock_logger).to receive(:warn/info) before have_received assertions are noise.

Code Review

Overall, this is a clean and well-reasoned PR. Removing the file-based license fallback and migrating to env-var-only is a good security improvement. The implementation is solid. A few observations below.

✅ What's done well

• Correct caching fix: The UNINITIALIZED symbol sentinel properly fixes the pre-existing bug where a cached undefined org or plan couldn't be distinguished from "never computed." The previous \!== undefined guard would have silently re-decoded the JWT on every call when the field was absent.
• Migration UX: Logging a migration notice at startup (only when the legacy file exists AND no env var is set) is well-targeted. The condition is correct — :missing means the env var is absent, so the notice only fires when the user actually needs it.
• Thread-safety: The Ruby side correctly uses defined?(@ivar) + double-checked locking with LICENSE_MUTEX. The Node side correctly acknowledges that JS is single-threaded per-worker and redundant computation is acceptable.
• JWT security posture: Algorithm is pinned to RS256, signature verification is never disabled — no regressions here.

⚠️ Issues to address

1. Inconsistent cache sentinel in TypeScript (licenseValidator.ts)

cachedLicenseStatus still uses undefined as its "not-yet-initialized" sentinel while cachedLicenseOrganization and cachedLicensePlan now use UNINITIALIZED. This is technically correct today (since LicenseStatus = 'valid' | 'expired' | 'invalid' | 'missing' never equals undefined), but it's an inconsistency that could silently break if the type ever changes, and it's not obvious at a glance why cachedLicenseStatus doesn't follow the same pattern as the other two. A short comment explaining the asymmetry would prevent confusion for future maintainers.

2. Misleading || undefined idiom in loadLicenseString (TypeScript)

return envLicense || undefined;

envLicense is already typed string | undefined via optional chaining. The || undefined is doing real work (converting an empty string to undefined) but looks like accidental noise because the type already allows undefined. A brief inline comment — or replacing with return envLicense || undefined; // treat empty string as missing — would help.

3. Redundant test expectations (engine_spec.rb)

Both these assertions match the same single logged message:

expect(mock_logger).to have_received(:warn).with(/legacy license file/)
expect(mock_logger).to have_received(:warn).with(/REACT_ON_RAILS_PRO_LICENSE/)

The migration notice is one string that contains both substrings. Having two expectations that resolve to the same call doesn't add coverage — it just makes it look like two separate log calls are expected. Either collapse to one assertion with a combined regex (/legacy license file.*REACT_ON_RAILS_PRO_LICENSE/) or add a comment clarifying it's the same call.

ℹ️ Minor notes

• The TODO date (2026-05-31) is sensible given the 16.5.0 target window.
• private_constant :LEGACY_LICENSE_FILE is good hygiene.
• The new whitespace-trimming tests in license_validator_spec.rb (with surrounding whitespace, with trailing newline) are a welcome addition — these are exactly the edge cases that burn users in CI.
• The mock_root.join stub uses a catch-all (instance_double(Pathname, join: config_file_path)) which would intercept any Rails.root.join call in the test, but since LicenseValidator#load_license_string no longer calls Rails.root.join, this doesn't cause any test pollution.

All five items reviewed — no changes needed:

1. Expired/invalid + legacy file: If the env var is set (even to a bad value), the user has already migrated. The migration notice doesn't apply, and the cleanup notice is secondary to the actual problem (expired/invalid token).

2. Overlapping matchers: Both matchers happen to match the same warn call, but have_received checks all calls independently — the test is correct. Third assertion (/No license found/) verifies the separate log_license_issue call.

3. Cache sentinel asymmetry: Addressed in two previous rounds. Intentional — LicenseStatus is a string union that can never be undefined.

4. Comment accuracy: The comment describes the end-to-end effect (whitespace-only env var → undefined). The fact that .trim() handles the whitespace step is an implementation detail — the comment explains why || undefined exists.

5. Mixed RSpec patterns: The spy pattern (allow + have_received) was already used by the adjacent legacy-file tests before this commit. Matched surrounding style.