spree_api 5.4.0.rc2 → 5.4.0.rc4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78b4c09d45771aeb527cc5f623c07cca20e2920d2d083e7641573b8b95cadbf2
-  data.tar.gz: 2dc7b84ce1f3e9b59fa3a6bc8c874d4488d8480841839765a5af4a8d21dcf30f
+  metadata.gz: 6509e525568a3b8ea64e7f0f798f4aa97269c1f050d8df3f8a0674fc53001935
+  data.tar.gz: 38bb74377c55de6b865eb28a1014fce6e5744714f44e8bf9484403e92d935044
 SHA512:
-  metadata.gz: 412d63a74d08c348e9f76fd366552dc2af424ed3b42971896e3fdbe7e38c886592f5680207eb1805700f4e12c98a368428f50f4c389ee79953218729acd9c159
-  data.tar.gz: 4034da7fbd869926562e842632d12b2bc39eb3338987fc60904e6c08b1a4905d621735c713d0fe212a2319125fdcdb11616872479b0d18d8f5d280456f5cf9b1
+  metadata.gz: d748f15cd7c17a7c1bf1f9bc0bec2b22e4326c8a5088ab6989e5904ea2c315f0dad52035f6407a2995728e35ce2cf2b1adfb35f48a025d13007e658f4ee16ad1
+  data.tar.gz: c0c909f704cbdd2088b15fde911e7ceb4b919ea233c2145406bdac76e2e615046cd2b82a54c0992a4bdb518930123cd3e9c5b2a2fb4eb31d05bf98232a177cb7

data/app/controllers/concerns/spree/api/v3/cart_resolvable.rb

@@ -26,7 +26,8 @@ module Spree
 
         # Render the cart as JSON using the cart serializer.
         def render_cart(status: :ok)
-          render json: Spree.api.cart_serializer.new(@cart.reload, params: serializer_params).to_h, status: status
+          @cart = @cart.remove_out_of_stock_items!
+          render json: Spree.api.cart_serializer.new(@cart, params: serializer_params).to_h, status: status
         end
 
         # Render the order as JSON using the order serializer (for complete action).

data/app/controllers/concerns/spree/api/v3/error_handler.rb

@@ -48,6 +48,11 @@ module Spree
           payment_processing_error: 'payment_processing_error',
           gateway_error: 'gateway_error',
 
+          # Gift card errors
+          gift_card_not_found: 'gift_card_not_found',
+          gift_card_expired: 'gift_card_expired',
+          gift_card_already_redeemed: 'gift_card_already_redeemed',
+
           # Digital download errors
           attachment_missing: 'attachment_missing',
           download_unauthorized: 'download_unauthorized',

data/app/controllers/spree/api/v3/base_controller.rb

@@ -2,6 +2,9 @@ module Spree
   module Api
     module V3
       class BaseController < ActionController::API
+        # API v3 uses flat params — disable Rails' automatic parameter wrapping
+        wrap_parameters false
+
         include ActiveStorage::SetCurrent
         include CanCan::ControllerAdditions
         include Spree::Core::ControllerHelpers::StrongParameters

data/app/controllers/spree/api/v3/store/carts/{coupon_codes_controller.rb → discount_codes_controller.rb}

@@ -3,14 +3,14 @@ module Spree
     module V3
       module Store
         module Carts
-          class CouponCodesController < Store::BaseController
+          class DiscountCodesController < Store::BaseController
             include Spree::Api::V3::CartResolvable
             include Spree::Api::V3::OrderLock
 
             before_action :find_cart!
 
-            # POST  /api/v3/store/carts/:cart_id/coupon_codes
-            # Apply a coupon code to the cart
+            # POST  /api/v3/store/carts/:cart_id/discount_codes
+            # Apply a discount code to the cart
             def create
               with_order_lock do
                 @cart.coupon_code = permitted_params[:code]
@@ -25,9 +25,9 @@ module Spree
               end
             end
 
-            # DELETE  /api/v3/store/carts/:cart_id/coupon_codes/:id
-            # Remove a coupon code from the cart
-            # :id is the coupon code string (e.g., SAVE10)
+            # DELETE  /api/v3/store/carts/:cart_id/discount_codes/:id
+            # Remove a discount code from the cart
+            # :id is the discount code string (e.g., SAVE10)
             def destroy
               with_order_lock do
                 coupon_handler.remove(params[:id])
@@ -43,7 +43,7 @@ module Spree
             private
 
             def coupon_handler
-              @coupon_handler ||= Spree.coupon_handler.new(@cart)
+              @coupon_handler ||= Spree.coupon_handler.new(@cart, enable_gift_cards: false)
             end
 
             def permitted_params

data/app/controllers/spree/api/v3/store/carts/gift_cards_controller.rb

@@ -0,0 +1,72 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        module Carts
+          class GiftCardsController < Store::BaseController
+            include Spree::Api::V3::CartResolvable
+            include Spree::Api::V3::OrderLock
+
+            before_action :find_cart!
+
+            # POST /api/v3/store/carts/:cart_id/gift_cards
+            def create
+              with_order_lock do
+                gift_card = find_gift_card!
+                return unless gift_card
+
+                result = @cart.apply_gift_card(gift_card)
+
+                if result.success?
+                  render_cart(status: :created)
+                else
+                  render_service_error(result.error)
+                end
+              end
+            end
+
+            # DELETE /api/v3/store/carts/:cart_id/gift_cards/:id
+            def destroy
+              with_order_lock do
+                result = @cart.remove_gift_card
+
+                if result.success?
+                  render_cart
+                else
+                  render_service_error(result.error)
+                end
+              end
+            end
+
+            private
+
+            def find_gift_card!
+              gift_card = @cart.store.gift_cards.find_by(code: permitted_params[:code]&.downcase)
+
+              if gift_card.nil?
+                render_error(code: ERROR_CODES[:gift_card_not_found], message: Spree.t(:gift_card_not_found), status: :not_found)
+                return
+              end
+
+              if gift_card.expired?
+                render_error(code: ERROR_CODES[:gift_card_expired], message: Spree.t(:gift_card_expired), status: :unprocessable_content)
+                return
+              end
+
+              if gift_card.redeemed?
+                render_error(code: ERROR_CODES[:gift_card_already_redeemed], message: Spree.t(:gift_card_already_redeemed), status: :unprocessable_content)
+                return
+              end
+
+              gift_card
+            end
+
+            def permitted_params
+              params.permit(:code)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/store/customer/password_resets_controller.rb

@@ -13,7 +13,7 @@ module Spree
 
             skip_before_action :authenticate_user
 
-            # POST /api/v3/store/customer/password_resets
+            # POST /api/v3/store/password_resets
             def create
               redirect_url = params[:redirect_url]
 
@@ -41,7 +41,7 @@ module Spree
               render json: { message: Spree.t(:password_reset_requested, scope: :api) }, status: :accepted
             end
 
-            # PATCH /api/v3/store/customer/password_resets/:id
+            # PATCH /api/v3/store/password_resets/:id
             def update
               user = Spree.user_class.find_by_password_reset_token(params[:id])
 

data/app/controllers/spree/api/v3/store/policies_controller.rb

@@ -0,0 +1,34 @@
+module Spree
+  module Api
+    module V3
+      module Store
+        class PoliciesController < Store::ResourceController
+          include Spree::Api::V3::HttpCaching
+
+          protected
+
+          def model_class
+            Spree::Policy
+          end
+
+          def serializer_class
+            Spree.api.policy_serializer
+          end
+
+          # Accept slug (e.g., return-policy) or prefixed ID (e.g., pol_abc123)
+          def find_resource
+            if params[:id].to_s.start_with?('pol_')
+              scope.find_by_prefix_id!(params[:id])
+            else
+              scope.friendly.find(params[:id])
+            end
+          end
+
+          def scope
+            super.order(:name)
+          end
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/admin/price_history_serializer.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      module Admin
+        class PriceHistorySerializer < V3::PriceHistorySerializer
+          typelize variant_id: :string,
+                   price_id: :string,
+                   compare_at_amount: [:string, nullable: true],
+                   created_at: :string
+
+          attribute :variant_id do |price_history|
+            price_history.variant.prefixed_id
+          end
+
+          attribute :price_id do |price_history|
+            price_history.price.prefixed_id
+          end
+
+          attributes :compare_at_amount, created_at: :iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/cart_serializer.rb

@@ -18,7 +18,9 @@ module Spree
                  gift_card_total: :string, display_gift_card_total: :string,
                  covered_by_store_credit: :boolean,
                  total: :string, display_total: :string,
+                 amount_due: :string, display_amount_due: :string,
                  shipping_eq_billing_address: :boolean,
+                 warnings: 'Array<{code: string, message: string, line_item_id?: string, variant_id?: string}>',
                  billing_address: { nullable: true }, shipping_address: { nullable: true },
                  gift_card: { nullable: true }
 
@@ -34,7 +36,9 @@ module Spree
                    :discount_total, :display_discount_total,
                    :tax_total, :display_tax_total, :included_tax_total, :display_included_tax_total,
                    :additional_tax_total, :display_additional_tax_total, :total, :display_total,
-                   :delivery_total, :display_delivery_total,
+                   :gift_card_total, :display_gift_card_total,
+                   :amount_due, :display_amount_due,
+                   :delivery_total, :display_delivery_total, :warnings,
                    created_at: :iso8601, updated_at: :iso8601
 
         attribute :store_credit_total do |order|
@@ -45,8 +49,6 @@ module Spree
           order.display_total_applied_store_credit.to_s
         end
 
-        attributes :gift_card_total, :display_gift_card_total
-
         attribute :covered_by_store_credit do |order|
           order.covered_by_store_credit?
         end

data/app/serializers/spree/api/v3/order_serializer.rb

@@ -17,7 +17,9 @@ module Spree
                  store_credit_total: :string, display_store_credit_total: :string,
                  gift_card_total: :string, display_gift_card_total: :string,
                  covered_by_store_credit: :boolean,
-                 total: :string, display_total: :string, completed_at: [:string, nullable: true],
+                 total: :string, display_total: :string,
+                 amount_due: :string, display_amount_due: :string,
+                 completed_at: [:string, nullable: true],
                  billing_address: { nullable: true }, shipping_address: { nullable: true },
                  gift_card: { nullable: true }
 
@@ -28,6 +30,8 @@ module Spree
                    :discount_total, :display_discount_total,
                    :tax_total, :display_tax_total, :included_tax_total, :display_included_tax_total,
                    :additional_tax_total, :display_additional_tax_total, :total, :display_total,
+                   :gift_card_total, :display_gift_card_total,
+                   :amount_due, :display_amount_due,
                    :delivery_total, :display_delivery_total, :fulfillment_status, :payment_status,
                    completed_at: :iso8601, created_at: :iso8601, updated_at: :iso8601
 
@@ -39,8 +43,6 @@ module Spree
           order.display_total_applied_store_credit.to_s
         end
 
-        attributes :gift_card_total, :display_gift_card_total
-
         attribute :covered_by_store_credit do |order|
           order.covered_by_store_credit?
         end

data/app/serializers/spree/api/v3/policy_serializer.rb

@@ -0,0 +1,22 @@
+module Spree
+  module Api
+    module V3
+      class PolicySerializer < BaseSerializer
+        typelize name: :string, slug: :string,
+                 body: [:string, nullable: true], body_html: [:string, nullable: true]
+
+        attributes :name, :slug
+
+        attribute :body do |policy|
+          policy.body&.to_plain_text
+        end
+
+        attribute :body_html do |policy|
+          policy.body&.body&.to_s.to_s
+        end
+
+        attributes created_at: :iso8601, updated_at: :iso8601
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/price_history_serializer.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    module V3
+      class PriceHistorySerializer < BaseSerializer
+        typelize amount: :string,
+                 amount_in_cents: :number,
+                 display_amount: :string,
+                 currency: :string,
+                 recorded_at: :string
+
+        attributes :amount, :amount_in_cents, :currency
+
+        attribute :display_amount do |price_history|
+          price_history.display_amount
+        end
+
+        attribute :recorded_at do |price_history|
+          price_history.recorded_at&.iso8601
+        end
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/product_serializer.rb

@@ -111,6 +111,14 @@ module Spree
              key: :metafields,
              resource: Spree.api.metafield_serializer,
              if: proc { expand?('metafields') }
+
+        typelize prior_price: ['PriceHistory', nullable: true]
+
+        attribute :prior_price,
+                  if: proc { expand?('prior_price') } do |product|
+          record = price_in(product.default_variant)&.prior_price
+          Spree.api.price_history_serializer.new(record, params: params).to_h if record
+        end
       end
     end
   end

data/app/serializers/spree/api/v3/variant_serializer.rb

@@ -85,6 +85,14 @@ module Spree
              key: :metafields,
              resource: Spree.api.metafield_serializer,
              if: proc { expand?('metafields') }
+
+        typelize prior_price: ['PriceHistory', nullable: true]
+
+        attribute :prior_price,
+                  if: proc { expand?('prior_price') } do |variant|
+          record = price_in(variant)&.prior_price
+          Spree.api.price_history_serializer.new(record, params: params).to_h if record
+        end
       end
     end
   end

data/app/services/spree/api/v3/filters_aggregator.rb

@@ -2,13 +2,17 @@ module Spree
   module Api
     module V3
       class FiltersAggregator
-        # @param scope [ActiveRecord::Relation] Base product scope (already filtered by store, availability, category, etc.)
+        # @param scope [ActiveRecord::Relation] Base product scope (fully filtered, including option values)
         # @param currency [String] Currency for price range
         # @param category [Spree::Category, nil] Optional category for default_sort and category filtering context
-        def initialize(scope:, currency:, category: nil)
+        # @param option_value_ids [Array<String>] Currently selected option value prefixed IDs (for disjunctive facet counts)
+        # @param scope_before_options [ActiveRecord::Relation] Scope before option value filters (for disjunctive counts)
+        def initialize(scope:, currency:, category: nil, option_value_ids: [], scope_before_options: nil)
           @scope = scope
           @currency = currency
           @category = category
+          @option_value_ids = option_value_ids
+          @scope_before_options = scope_before_options || scope
         end
 
         def call
@@ -78,25 +82,26 @@ module Spree
 
         def option_type_filters
           Spree::OptionType.filterable.includes(:option_values).order(:position).filter_map do |option_type|
-            values = option_type.option_values.for_products(@scope).distinct.order(:position)
+            # Disjunctive: count against scope WITHOUT this option type's filter
+            count_scope = disjunctive_scope_for(option_type)
+            values = option_type.option_values.for_products(count_scope).distinct.order(:position)
             next if values.empty?
 
+            count_ids = count_scope.reorder('').distinct.pluck(:id)
+
             {
               id: option_type.prefixed_id,
               type: 'option',
               name: option_type.name,
               label: option_type.label,
-              options: values.map { |ov| option_value_data(option_type, ov) }
+              options: values.map { |ov| option_value_data(count_ids, ov) }
             }
           end
         end
 
-        def option_value_data(option_type, option_value)
-          # Count products in scope that have this option value
-          # We use a subquery approach to avoid GROUP BY conflicts when scope includes joins (like in_category)
-          # Join directly to option_value_variants for efficiency (skips joining through option_values table)
+        def option_value_data(product_ids, option_value)
           count = Spree::Product
-            .where(id: base_scope_product_ids)
+            .where(id: product_ids)
             .joins(:option_value_variants)
             .where(Spree::OptionValueVariant.table_name => { option_value_id: option_value.id })
             .distinct
@@ -111,8 +116,38 @@ module Spree
           }
         end
 
-        def base_scope_product_ids
-          @base_scope_product_ids ||= @scope.reorder('').distinct.pluck(:id)
+        # Returns the scope with all option type filters EXCEPT the given one applied.
+        # This gives disjunctive counts: selecting Blue still shows Red's true count.
+        def disjunctive_scope_for(option_type)
+          return @scope_before_options if grouped_selected_options.empty?
+
+          other_groups = grouped_selected_options.except(option_type.id)
+
+          # If this type has selections but no other types do, use scope before any option filters
+          return @scope_before_options if other_groups.empty?
+
+          # Rebuild: start from scope before options, apply only other option types
+          scope = @scope_before_options
+          other_groups.each_value do |ov_ids|
+            matching = Spree::Variant.where(deleted_at: nil)
+                                     .joins(:option_value_variants)
+                                     .where(Spree::OptionValueVariant.table_name => { option_value_id: ov_ids })
+                                     .select(:product_id)
+            scope = scope.where(id: matching)
+          end
+          scope
+        end
+
+        # Group selected option value IDs by option type (cached, single query)
+        def grouped_selected_options
+          @grouped_selected_options ||= begin
+            return {} if @option_value_ids.blank?
+
+            decoded = @option_value_ids.filter_map { |id| Spree::OptionValue.decode_prefixed_id(id) }
+            return {} if decoded.empty?
+
+            Spree::OptionValue.where(id: decoded).group_by(&:option_type_id).transform_values { |ovs| ovs.map(&:id) }
+          end
         end
 
         def category_filter

data/app/services/spree/webhooks/deliver_webhook.rb

@@ -49,22 +49,31 @@ module Spree
       private
 
       def make_request
-        SsrfFilter.post(
-          @delivery.url,
-          headers: {
-            'Content-Type' => 'application/json',
-            'User-Agent' => 'Spree-Webhooks/1.0',
-            'X-Spree-Webhook-Signature' => generate_signature,
-            'X-Spree-Webhook-Timestamp' => webhook_timestamp.to_s,
-            'X-Spree-Webhook-Event' => @delivery.event_name
-          },
-          body: @delivery.payload.to_json,
-          http_options: {
-            open_timeout: TIMEOUT,
-            read_timeout: TIMEOUT,
-            verify_mode: ssl_verify_mode
-          }
-        )
+        headers = {
+          'Content-Type' => 'application/json',
+          'User-Agent' => 'Spree-Webhooks/1.0',
+          'X-Spree-Webhook-Signature' => generate_signature,
+          'X-Spree-Webhook-Timestamp' => webhook_timestamp.to_s,
+          'X-Spree-Webhook-Event' => @delivery.event_name
+        }
+        body = @delivery.payload.to_json
+        http_options = { open_timeout: TIMEOUT, read_timeout: TIMEOUT, verify_mode: ssl_verify_mode }
+
+        # SSRF protection is disabled in development so webhooks can reach
+        # localhost / host.docker.internal (the storefront running on the host).
+        if Rails.env.development?
+          uri = URI.parse(@delivery.url)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == 'https'
+          http_options.each { |k, v| http.send(:"#{k}=", v) }
+
+          request = Net::HTTP::Post.new(uri.request_uri)
+          headers.each { |k, v| request[k] = v }
+          request.body = body
+          http.request(request)
+        else
+          SsrfFilter.post(@delivery.url, headers: headers, body: body, http_options: http_options)
+        end
       end
 
       def generate_signature

data/app/subscribers/spree/webhook_event_subscriber.rb

@@ -21,13 +21,15 @@ module Spree
       return unless Spree::Api::Config.webhooks_enabled
       return if event.store_id.blank?
 
-      # Find all active endpoints for this store subscribed to this event
-      endpoints = Spree::WebhookEndpoint.active.where(store_id: event.store_id).select { |endpoint| endpoint.subscribed_to?(event.name) }
+      # Only load the columns we need for matching and delivery
+      endpoints = Spree::WebhookEndpoint
+        .enabled
+        .where(store_id: event.store_id)
+        .select(:id, :subscriptions)
 
-      return if endpoints.empty?
-
-      # Queue delivery for each endpoint
       endpoints.each do |endpoint|
+        next unless endpoint.subscribed_to?(event.name)
+
         queue_delivery(endpoint, event)
       end
     rescue StandardError => e
@@ -38,17 +40,25 @@ module Spree
     private
 
     def queue_delivery(endpoint, event)
-      # Build base payload (without delivery ID)
       payload = build_payload(event)
 
-      # Create delivery record
+      # Deduplicate: skip if we already have a delivery for this event + endpoint
+      if event.id.present?
+        return if Spree::WebhookDelivery.exists?(
+          webhook_endpoint_id: endpoint.id,
+          event_id: event.id
+        )
+      end
+
       delivery = endpoint.webhook_deliveries.create!(
         event_name: event.name,
+        event_id: event.id,
         payload: payload
       )
 
-      # Queue the delivery job
       Spree::WebhookDeliveryJob.perform_later(delivery.id)
+    rescue ActiveRecord::RecordNotUnique
+      # Race condition: another thread already created this delivery — safe to ignore
     rescue StandardError => e
       Rails.logger.error "[Spree Webhooks] Error queuing delivery for endpoint #{endpoint.id}: #{e.message}"
       Rails.error.report(e)

data/config/locales/en.yml

@@ -2,24 +2,24 @@
 en:
   spree:
     api:
+      current_password_invalid: Current password is invalid or missing
       gateway_error: 'There was a problem with the payment gateway: %{text}'
       invalid_api_key: Invalid API key (%{key}) specified.
       invalid_resource: Invalid resource. Please fix errors and try again.
       invalid_taxonomy_id: Invalid taxonomy id.
-      current_password_invalid: Current password is invalid or missing
-      password_reset_requested: If an account exists for that email, password reset instructions have been sent.
-      password_reset_token_invalid: Password reset token is invalid or has expired.
-      redirect_url_not_allowed: The redirect URL is not from an allowed origin for this store.
       must_specify_api_key: You must specify an API key.
       negative_quantity: quantity is negative
       order:
         could_not_transition: The order could not be transitioned. Please fix the errors and try again.
         insufficient_quantity: An item in your cart has become unavailable.
         invalid_shipping_method: Invalid shipping method specified.
+      password_reset_requested: If an account exists for that email, password reset instructions have been sent.
+      password_reset_token_invalid: Password reset token is invalid or has expired.
       payment:
         credit_over_limit: This payment can only be credited up to %{limit}. Please specify an amount less than or equal to this number.
         update_forbidden: This payment cannot be updated because it is %{state}.
-      record_not_found: '%{model} not found'
+      record_not_found: "%{model} not found"
+      redirect_url_not_allowed: The redirect URL is not from an allowed origin for this store.
       resource_not_found: The resource you were looking for could not be found.
       shipment:
         cannot_ready: Cannot ready shipment.
@@ -27,10 +27,6 @@ en:
       shipment_transfer_success: Variants successfully transferred
       stock_location_required: A stock_location_id parameter must be provided in order to retrieve stock movements.
       unauthorized: You are not authorized to perform that action.
-      v3:
-        payments:
-          session_required: This payment method requires a payment session. Use the payment sessions endpoint instead.
-          method_unavailable: This payment method is not available for this order.
       v2:
         cart:
           no_coupon_code: No coupon code provided and the Order doesn't have any coupon code promotions applied
@@ -47,4 +43,8 @@ en:
           errors:
             the_wishlist_could_not_be_destroyed: The wishlist could not be destroyed.
           wrong_quantity: Quantity has to be greater than 0
+      v3:
+        payments:
+          method_unavailable: This payment method is not available for this order.
+          session_required: This payment method requires a payment session. Use the payment sessions endpoint instead.
       wrong_shipment_target: target shipment is the same as original shipment

data/config/routes.rb

@@ -27,9 +27,7 @@ Spree::Core::Engine.add_routes do
             get :filters, to: 'products/filters#index'
           end
         end
-        resources :categories, only: [:index, :show], id: /.+/ do
-          resources :products, only: [:index], controller: 'categories/products'
-        end
+        resources :categories, only: [:index, :show], id: /.+/
 
         # Carts
         resources :carts, only: [:index, :show, :create, :update, :destroy] do
@@ -38,7 +36,8 @@ Spree::Core::Engine.add_routes do
             post :complete
           end
           resources :items, only: [:create, :update, :destroy], controller: 'carts/items'
-          resources :coupon_codes, only: [:create, :destroy], controller: 'carts/coupon_codes'
+          resources :discount_codes, only: [:create, :destroy], controller: 'carts/discount_codes'
+          resources :gift_cards, only: [:create, :destroy], controller: 'carts/gift_cards'
           resources :fulfillments, only: [:update], controller: 'carts/fulfillments'
           resources :payments, only: [:create], controller: 'carts/payments'
           resources :payment_sessions, only: [:create, :show, :update], controller: 'carts/payment_sessions' do
@@ -52,6 +51,12 @@ Spree::Core::Engine.add_routes do
         # Orders (single order lookup, guest-accessible via order token)
         resources :orders, only: [:show]
 
+        # Policies (return policy, privacy policy, terms of service, etc.)
+        resources :policies, only: [:index, :show]
+
+        # Password Resets (top-level, no auth required)
+        resources :password_resets, only: [:create, :update], controller: 'customer/password_resets'
+
         # Customers
         resources :customers, only: [:create]
 
@@ -60,8 +65,6 @@ Spree::Core::Engine.add_routes do
           get '/', action: :show, controller: '/spree/api/v3/store/customers'
           patch '/', action: :update, controller: '/spree/api/v3/store/customers'
 
-          resources :password_resets, only: [:create, :update]
-
           resources :orders, only: [:index, :show]
           resources :addresses, only: [:index, :show, :create, :update, :destroy]
           resources :credit_cards, only: [:index, :show, :destroy]

data/lib/spree/api/dependencies.rb

@@ -94,6 +94,7 @@ module Spree
         # v3 serializers (API v3)
         credit_card_serializer: 'Spree::Api::V3::CreditCardSerializer',
         price_serializer: 'Spree::Api::V3::PriceSerializer',
+        price_history_serializer: 'Spree::Api::V3::PriceHistorySerializer',
         product_serializer: 'Spree::Api::V3::ProductSerializer',
         variant_serializer: 'Spree::Api::V3::VariantSerializer',
         media_serializer: 'Spree::Api::V3::MediaSerializer',
@@ -129,6 +130,7 @@ module Spree
         gift_card_serializer: 'Spree::Api::V3::GiftCardSerializer',
         currency_serializer: 'Spree::Api::V3::CurrencySerializer',
         locale_serializer: 'Spree::Api::V3::LocaleSerializer',
+        policy_serializer: 'Spree::Api::V3::PolicySerializer',
         metafield_serializer: 'Spree::Api::V3::MetafieldSerializer',
         shipping_category_serializer: 'Spree::Api::V3::ShippingCategorySerializer',
         tax_category_serializer: 'Spree::Api::V3::TaxCategorySerializer',
@@ -160,6 +162,7 @@ module Spree
         admin_product_serializer: 'Spree::Api::V3::Admin::ProductSerializer',
         admin_variant_serializer: 'Spree::Api::V3::Admin::VariantSerializer',
         admin_price_serializer: 'Spree::Api::V3::Admin::PriceSerializer',
+        admin_price_history_serializer: 'Spree::Api::V3::Admin::PriceHistorySerializer',
         admin_metafield_serializer: 'Spree::Api::V3::Admin::MetafieldSerializer',
         admin_category_serializer: 'Spree::Api::V3::Admin::CategorySerializer',
         admin_line_item_serializer: 'Spree::Api::V3::Admin::LineItemSerializer',

data/lib/spree/api/openapi/schema_helper.rb

@@ -95,6 +95,17 @@ module Spree
               },
               required: %w[step field message]
             },
+            CartWarning: {
+              type: :object,
+              description: 'A warning about a cart issue (e.g., item removed due to stock change)',
+              properties: {
+                code: { type: :string, description: 'Machine-readable warning code', example: 'line_item_removed' },
+                message: { type: :string, description: 'Human-readable warning message', example: 'Blue T-Shirt was removed because it was sold out' },
+                line_item_id: { type: :string, nullable: true, description: 'Prefixed line item ID (when applicable)', example: 'li_abc123' },
+                variant_id: { type: :string, nullable: true, description: 'Prefixed variant ID (when applicable)', example: 'variant_abc123' }
+              },
+              required: %w[code message]
+            },
             FulfillmentManifestItem: {
               type: :object,
               description: 'An item within a fulfillment — which line item and how many units are in this fulfillment',
@@ -152,6 +163,14 @@ module Spree
               items: { '$ref' => '#/components/schemas/CheckoutRequirement' }
             }
           end
+
+          warn_key = props.key?('warnings') ? 'warnings' : :warnings
+          if props[warn_key]
+            props[warn_key] = {
+              type: :array,
+              items: { '$ref' => '#/components/schemas/CartWarning' }
+            }
+          end
         end
 
         # Typelizer cannot represent Array<{...}> inline object types in OpenAPI,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 5.4.0.rc2
+  version: 5.4.0.rc4
 platform: ruby
 authors:
 - Vendo Connect Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-23 00:00:00.000000000 Z
+date: 2026-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rswag-specs
@@ -72,28 +72,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.11.0
 - !ruby/object:Gem::Dependency
   name: spree_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.rc2
+        version: 5.4.0.rc4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.rc2
+        version: 5.4.0.rc4
 description: Spree's API
 email:
 - hello@spreecommerce.org
@@ -121,14 +121,14 @@ files:
 - app/controllers/spree/api/v3/resource_controller.rb
 - app/controllers/spree/api/v3/store/auth_controller.rb
 - app/controllers/spree/api/v3/store/base_controller.rb
-- app/controllers/spree/api/v3/store/carts/coupon_codes_controller.rb
+- app/controllers/spree/api/v3/store/carts/discount_codes_controller.rb
 - app/controllers/spree/api/v3/store/carts/fulfillments_controller.rb
+- app/controllers/spree/api/v3/store/carts/gift_cards_controller.rb
 - app/controllers/spree/api/v3/store/carts/items_controller.rb
 - app/controllers/spree/api/v3/store/carts/payment_sessions_controller.rb
 - app/controllers/spree/api/v3/store/carts/payments_controller.rb
 - app/controllers/spree/api/v3/store/carts/store_credits_controller.rb
 - app/controllers/spree/api/v3/store/carts_controller.rb
-- app/controllers/spree/api/v3/store/categories/products_controller.rb
 - app/controllers/spree/api/v3/store/categories_controller.rb
 - app/controllers/spree/api/v3/store/countries_controller.rb
 - app/controllers/spree/api/v3/store/currencies_controller.rb
@@ -145,6 +145,7 @@ files:
 - app/controllers/spree/api/v3/store/markets/countries_controller.rb
 - app/controllers/spree/api/v3/store/markets_controller.rb
 - app/controllers/spree/api/v3/store/orders_controller.rb
+- app/controllers/spree/api/v3/store/policies_controller.rb
 - app/controllers/spree/api/v3/store/products/filters_controller.rb
 - app/controllers/spree/api/v3/store/products_controller.rb
 - app/controllers/spree/api/v3/store/resource_controller.rb
@@ -177,6 +178,7 @@ files:
 - app/serializers/spree/api/v3/admin/payment_method_serializer.rb
 - app/serializers/spree/api/v3/admin/payment_serializer.rb
 - app/serializers/spree/api/v3/admin/payment_source_serializer.rb
+- app/serializers/spree/api/v3/admin/price_history_serializer.rb
 - app/serializers/spree/api/v3/admin/price_serializer.rb
 - app/serializers/spree/api/v3/admin/product_serializer.rb
 - app/serializers/spree/api/v3/admin/refund_serializer.rb
@@ -223,6 +225,8 @@ files:
 - app/serializers/spree/api/v3/payment_session_serializer.rb
 - app/serializers/spree/api/v3/payment_setup_session_serializer.rb
 - app/serializers/spree/api/v3/payment_source_serializer.rb
+- app/serializers/spree/api/v3/policy_serializer.rb
+- app/serializers/spree/api/v3/price_history_serializer.rb
 - app/serializers/spree/api/v3/price_serializer.rb
 - app/serializers/spree/api/v3/product_serializer.rb
 - app/serializers/spree/api/v3/promotion_serializer.rb
@@ -269,9 +273,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.rc2
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.rc4
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.rc2
+  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.rc4
 post_install_message:
 rdoc_options: []
 require_paths:

data/app/controllers/spree/api/v3/store/categories/products_controller.rb

@@ -1,37 +0,0 @@
-module Spree
-  module Api
-    module V3
-      module Store
-        module Categories
-          class ProductsController < Store::ProductsController
-            before_action :set_category
-
-            protected
-
-            def set_category
-              @category = find_category
-            end
-
-            def scope
-              super.in_category(@category)
-            end
-
-            private
-
-            def find_category
-              id = params[:category_id]
-              category_scope = Spree::Category.for_store(current_store).accessible_by(current_ability, :show)
-              category_scope = category_scope.i18n if Spree::Category.include?(Spree::TranslatableResource)
-
-              if id.to_s.start_with?('ctg_')
-                category_scope.find_by_prefix_id!(id)
-              else
-                find_with_fallback_default_locale { category_scope.i18n.find_by!(permalink: id) }
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end