Fix CRITICAL production safety issues from CodeRabbit PR #266

CRITICAL FIXES (Priority 1 - Production Safety):

1. Docker dev stack target mismatch (rails-8-docker-deployment-production-guide.md)
   - Changed web and worker services from 'target: production' to 'target: base'
   - Fixes: Dev environment building production image breaks hot-reload/tooling
   - Impact: Development workflow now uses correct base image

2. Invalid docker-compose rollback command (rails-8-docker-deployment-production-guide.md)
   - Replaced non-existent 'docker-compose rollback' with tag-based rollback
   - Fixes: Rollback procedure that wouldn't work in production
   - Impact: Production rollback now uses proper docker tag reversion

3. SECURITY: Credentials leak via redirect params (rails-8-authentication-generator-devise-migration.md)
   - Changed redirect_to rails8_session_path(params: params) to only forward email
   - Fixes: Passwords/emails exposed in URL/logs during authentication redirect
   - Impact: Prevents credential leakage in production logs and URLs

4. Rake task mutates production passwords (rails-8-authentication-generator-devise-migration.md)
   - Replaced password mutation with read-only digest format validation
   - Fixes: Task permanently corrupts production user credentials
   - Impact: Validation now checks digest format without writing user data

5. Cache warmer uses KEYS blocking Redis (rails-8-solid-cache-performance-redis-migration.md)
   - Replaced redis.keys('*') with cursor-based SCAN batching
   - Fixes: KEYS command blocks Redis in production during cache warming
   - Impact: Non-blocking cache warming via SCAN iteration

6. uses_redis_specific_features? uses KEYS (rails-8-solid-cache-performance-redis-migration.md)
   - Replaced redis.keys('*') with cursor-based SCAN iteration
   - Fixes: KEYS command blocks Redis during feature detection
   - Impact: Non-blocking feature detection via SCAN

Tests: All critical tests passing (bin/rake test:critical)
Reference: CodeRabbit PR #266 review feedback
Methodology: XP pair programming (coder + reviewer)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: pftg

content/blog/2025/rails-8-authentication-generator-devise-migration.md

@@ -819,7 +819,8 @@ class SessionsController < ApplicationController
 
     if user && AuthMigration.use_rails8_auth?(user)
       # Redirect to Rails 8 authentication
-      redirect_to rails8_session_path(params: params)
+      # SECURITY: Never forward raw params (contains password)
+      redirect_to rails8_session_path(email: params[:email])
     else
       # Use Devise authentication
       super
@@ -904,15 +905,17 @@ namespace :auth do
       password_compatibility: 0
     }
 
-    # Test password compatibility
+    # Test password compatibility (read-only validation)
     User.limit(100).each do |user|
       next unless user.encrypted_password.present?
 
-      test_password = SecureRandom.hex(16)
-      user.update(password: test_password, password_confirmation: test_password)
-
-      if user.authenticate(test_password) && user.valid_password?(test_password)
-        checks[:password_compatibility] += 1
+      # Validate digest format without mutating user data
+      if user.password_digest.present? && user.encrypted_password.present?
+        # Check that both digests exist and are properly formatted
+        if BCrypt::Password.valid_hash?(user.password_digest) &&
+           user.encrypted_password.start_with?('$2a$')
+          checks[:password_compatibility] += 1
+        end
       end
     end
 

content/blog/2025/rails-8-docker-deployment-production-guide.md

@@ -311,7 +311,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-      target: production # Use production image
+      target: base # Use base image for development hot-reload
     command: bundle exec rails server -b 0.0.0.0
     volumes:
       # Mount code for development hot-reload
@@ -343,7 +343,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-      target: production
+      target: base # Use base image for development consistency
     command: bundle exec rails solid_queue:start
     volumes:
       - .:/rails
@@ -552,7 +552,10 @@ echo "💚 Performing health check..."
 sleep 10
 curl -f http://localhost/up || {
     echo "❌ Health check failed! Rolling back..."
-    docker-compose -f docker-compose.production.yml rollback
+    # Rollback by reverting to previous image tag
+    docker-compose -f docker-compose.production.yml down
+    docker tag myapp/rails:previous myapp/rails:latest
+    docker-compose -f docker-compose.production.yml up -d
     exit 1
 }
 

content/blog/2025/rails-8-solid-cache-performance-redis-migration.md

@@ -334,8 +334,21 @@ class RedisCacheAudit
   end
 
   def self.uses_redis_specific_features?
-    # Check for sorted sets, pub/sub, etc.
-    Redis.current.keys('*').any? { |k| Redis.current.type(k) != 'string' }
+    # Check for sorted sets, pub/sub, etc. using SCAN (non-blocking)
+    redis = Redis.current
+    cursor = "0"
+
+    loop do
+      cursor, keys = redis.scan(cursor, count: 100)
+
+      keys.each do |key|
+        return true if redis.type(key) != 'string'
+      end
+
+      break if cursor == "0"
+    end
+
+    false
   end
 end
 ```
@@ -478,33 +491,43 @@ class CacheWarmer
     redis = Redis.new(url: ENV['REDIS_URL'])
     solid_cache = Rails.cache
 
-    # Get all cache keys from Redis
-    keys = redis.keys('*')
-
-    puts "Warming #{keys.size} cache entries..."
-
-    keys.each_slice(1000).with_index do |batch, index|
-      ActiveRecord::Base.transaction do
-        batch.each do |key|
-          # Read from Redis
-          value = redis.get(key)
-          ttl = redis.ttl(key)
+    # Use SCAN instead of KEYS to avoid blocking Redis
+    cursor = "0"
+    total_keys = 0
+    batch_count = 0
 
-          next unless value
+    puts "Starting cache warming with SCAN batching..."
 
-          # Write to Solid Cache with same TTL
-          solid_cache.write(
-            key,
-            value,
-            expires_in: ttl > 0 ? ttl.seconds : nil
-          )
+    loop do
+      cursor, keys = redis.scan(cursor, count: 1000)
+      total_keys += keys.size
+
+      unless keys.empty?
+        ActiveRecord::Base.transaction do
+          keys.each do |key|
+            # Read from Redis
+            value = redis.get(key)
+            ttl = redis.ttl(key)
+
+            next unless value
+
+            # Write to Solid Cache with same TTL
+            solid_cache.write(
+              key,
+              value,
+              expires_in: ttl > 0 ? ttl.seconds : nil
+            )
+          end
         end
+
+        batch_count += 1
+        puts "Processed batch #{batch_count} (#{total_keys} keys total)"
       end
 
-      puts "Processed batch #{index + 1} of #{keys.size / 1000}"
+      break if cursor == "0"
     end
 
-    puts "Cache warming complete!"
+    puts "Cache warming complete! Warmed #{total_keys} entries."
   end
 
   def self.verify_warmup