Improve code quality and security in ServiceChecker

Code improvements:
- Extract configuration keys as CONFIG_KEYS constant for maintainability
- Use constants throughout instead of magic strings
- More specific exception handling (Errno::ENOENT vs StandardError)
- Add debug logging for unexpected errors (enabled with DEBUG env var)

Security improvements:
- Enhanced security warnings in .dev-services.yml.example files
- Added best practices section about avoiding shell metacharacters
- Documented risks of complex shell scripts and chained commands
- Emphasized keeping commands simple and focused

All tests passing (14/14). Zero RuboCop offenses.

Addresses feedback from PR review.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: justin808

lib/generators/react_on_rails/templates/base/base/.dev-services.yml.example

@@ -13,6 +13,12 @@
 # sensitive information or custom paths specific to your machine. Consider
 # adding .dev-services.yml to .gitignore if it contains machine-specific config.
 #
+# Security best practices:
+# - Use simple commands without shell metacharacters when possible
+# - Avoid complex shell scripts or chained commands (&&, ||, |, etc.)
+# - Only include services you trust
+# - Keep commands simple and focused on service health checks
+#
 # Example configuration:
 #
 # services:

lib/react_on_rails/dev/service_checker.rb

@@ -24,8 +24,19 @@ module Dev
     #     description: "PostgreSQL database"
     #
     class ServiceChecker
+      # Configuration file keys
+      CONFIG_KEYS = {
+        services: "services",
+        check_command: "check_command",
+        expected_output: "expected_output",
+        start_command: "start_command",
+        install_hint: "install_hint",
+        description: "description"
+      }.freeze
+
       class << self
         # Check all required services and provide helpful output
+        #
         # @param config_path [String] Path to .dev-services.yml (default: ./.dev-services.yml)
         # @return [Boolean] true if all services are running or no config exists
         def check_services(config_path: ".dev-services.yml")
@@ -40,13 +51,13 @@ def check_services(config_path: ".dev-services.yml")
         private
 
         def config_has_services?(config)
-          config && config["services"] && !config["services"].empty?
+          config && config[CONFIG_KEYS[:services]] && !config[CONFIG_KEYS[:services]].empty?
         end
 
         def check_and_report_services(config, config_path)
           print_services_header(config_path)
 
-          failures = collect_service_failures(config["services"])
+          failures = collect_service_failures(config[CONFIG_KEYS[:services]])
 
           report_results(failures)
         end
@@ -56,10 +67,10 @@ def collect_service_failures(services)
 
           services.each do |name, service_config|
             if check_service(name, service_config)
-              print_service_ok(name, service_config["description"])
+              print_service_ok(name, service_config[CONFIG_KEYS[:description]])
             else
               failures << { name: name, config: service_config }
-              print_service_failed(name, service_config["description"])
+              print_service_failed(name, service_config[CONFIG_KEYS[:description]])
             end
           end
 
@@ -86,8 +97,8 @@ def load_config(config_path)
         end
 
         def check_service(_name, config)
-          check_command = config["check_command"]
-          expected_output = config["expected_output"]
+          check_command = config[CONFIG_KEYS[:check_command]]
+          expected_output = config[CONFIG_KEYS[:expected_output]]
 
           return false if check_command.nil?
 
@@ -105,7 +116,12 @@ def run_check_command(command)
           stdout, stderr, status = Open3.capture3(command, err: %i[child out])
           output = stdout + stderr
           [output, status]
-        rescue StandardError
+        rescue Errno::ENOENT
+          # Command not found - service is not available
+          ["", nil]
+        rescue StandardError => e
+          # Log unexpected errors for debugging
+          warn "Unexpected error checking service: #{e.message}" if ENV["DEBUG"]
           ["", nil]
         end
 
@@ -142,20 +158,20 @@ def print_failures_summary(failures)
           failures.each do |failure|
             name = failure[:name]
             config = failure[:config]
-            description = config["description"] || name
+            description = config[CONFIG_KEYS[:description]] || name
 
             puts Rainbow(name.to_s).cyan.bold
-            puts "   #{description}" if config["description"]
+            puts "   #{description}" if config[CONFIG_KEYS[:description]]
 
-            if config["start_command"]
+            if config[CONFIG_KEYS[:start_command]]
               puts ""
               puts "   #{Rainbow('To start:').yellow}"
-              puts "   #{Rainbow(config['start_command']).green}"
+              puts "   #{Rainbow(config[CONFIG_KEYS[:start_command]]).green}"
             end
 
-            if config["install_hint"]
+            if config[CONFIG_KEYS[:install_hint]]
               puts ""
-              puts "   #{Rainbow('Not installed?').yellow} #{config['install_hint']}"
+              puts "   #{Rainbow('Not installed?').yellow} #{config[CONFIG_KEYS[:install_hint]]}"
             end
 
             puts ""

spec/dummy/.dev-services.yml.example

@@ -13,6 +13,12 @@
 # sensitive information or custom paths specific to your machine. Consider
 # adding .dev-services.yml to .gitignore if it contains machine-specific config.
 #
+# Security best practices:
+# - Use simple commands without shell metacharacters when possible
+# - Avoid complex shell scripts or chained commands (&&, ||, |, etc.)
+# - Only include services you trust
+# - Keep commands simple and focused on service health checks
+#
 # For the React on Rails dummy app, we typically don't require external services,
 # but here are some common examples you might use in a real application: