spree_core 5.4.1 → 5.4.3

data/app/models/spree/search_provider/database.rb

@@ -8,35 +8,16 @@ module Spree
       }.freeze
 
       def search_and_filter(scope:, query: nil, filters: {}, sort: nil, page: 1, limit: 25)
-        # 1. Text search
-        scope = scope.search(query) if query.present?
-
-        # 2. Extract internal params before passing to Ransack
-        category = filters.is_a?(Hash) ? filters.delete('_category') || filters.delete(:_category) : nil
-
-        # 2b. Extract option value IDs — handled by scope (OR within type, AND across)
-        option_value_ids = filters.is_a?(Hash) ? filters.delete('with_option_value_ids') || filters.delete(:with_option_value_ids) : nil
-
-        # 3. Structured filtering via Ransack
-        ransack_filters = sanitize_filters(filters)
-        if ransack_filters.present?
-          search = scope.ransack(ransack_filters)
-          scope = search.result(distinct: true)
-        end
-
-        # Save scope before option filters for disjunctive facet counts
-        scope_before_options = scope
-        if option_value_ids.present?
-          scope = scope.with_option_value_ids(Array(option_value_ids))
-        end
+        filters = filters.is_a?(Hash) ? filters.dup : {}
+        option_value_ids = filters.delete('with_option_value_ids') || filters.delete(:with_option_value_ids)
 
-        # 4. Facets (before sorting to avoid computed column conflicts with count)
-        filter_facets = build_facets(scope, category: category, option_value_ids: Array(option_value_ids), scope_before_options: scope_before_options)
+        scope = apply_search_and_filters(scope, query: query, filters: filters)
+        scope = scope.with_option_value_ids(Array(option_value_ids)) if option_value_ids.present?
 
-        # 5. Total count (before sorting to avoid computed column conflicts with count)
+        # Total count (before sorting to avoid computed column conflicts with count)
         total = scope.distinct.count
 
-        # 6. Sorting + pagination
+        # Sorting + pagination
         scope = apply_sort(scope, sort)
         page = [page.to_i, 1].max
         limit = limit.to_i.clamp(1, 100)
@@ -44,22 +25,56 @@ module Spree
 
         SearchResult.new(
           products: products,
+          total_count: total,
+          pagy: build_pagy(total, page, limit)
+        )
+      end
+
+      def filters(scope:, query: nil, filters: {})
+        filters = filters.is_a?(Hash) ? filters.dup : {}
+        category = filters.delete('_category') || filters.delete(:_category)
+        option_value_ids = Array(filters.delete('with_option_value_ids') || filters.delete(:with_option_value_ids))
+
+        # Apply text search + ransack filters (without option values)
+        scope_before_options = apply_search_and_filters(scope, query: query, filters: filters)
+
+        # Apply option value filters for the final scope
+        scope_with_options = if option_value_ids.present?
+                               scope_before_options.with_option_value_ids(option_value_ids)
+                             else
+                               scope_before_options
+                             end
+
+        filter_facets = build_facets(scope_with_options, category: category, option_value_ids: option_value_ids, scope_before_options: scope_before_options)
+
+        FiltersResult.new(
           filters: filter_facets[:filters],
           sort_options: filter_facets[:sort_options],
           default_sort: filter_facets[:default_sort],
-          total_count: total,
-          pagy: build_pagy(total, page, limit)
+          total_count: filter_facets[:total_count]
         )
       end
 
       private
 
+      def apply_search_and_filters(scope, query: nil, filters: {})
+        scope = scope.search(query) if query.present?
+
+        ransack_filters = sanitize_filters(filters)
+        if ransack_filters.present?
+          search = scope.ransack(ransack_filters)
+          scope = search.result(distinct: true)
+        end
+
+        scope
+      end
+
       def build_pagy(count, page, limit)
         Pagy::Offset.new(count: count, page: page, limit: limit)
       end
 
       def build_facets(scope, category: nil, option_value_ids: [], scope_before_options: nil)
-        return { filters: [], sort_options: available_sort_options, default_sort: 'manual' } unless defined?(Spree::Api::V3::FiltersAggregator)
+        return { filters: [], sort_options: available_sort_options, default_sort: 'manual', total_count: scope.distinct.count } unless defined?(Spree::Api::V3::FiltersAggregator)
 
         Spree::Api::V3::FiltersAggregator.new(
           scope: scope,
@@ -74,7 +89,7 @@ module Spree
         return {} if filters.blank?
 
         filters = filters.to_unsafe_h if filters.respond_to?(:to_unsafe_h)
-        filters.except('search', :search, '_category', :_category)
+        filters.except('search', :search, '_category', :_category, 'with_option_value_ids', :with_option_value_ids)
       end
 
       def apply_sort(scope, sort)

data/app/models/spree/search_provider/filters_result.rb

@@ -0,0 +1,5 @@
+module Spree
+  module SearchProvider
+    FiltersResult = Struct.new(:filters, :sort_options, :default_sort, :total_count, keyword_init: true)
+  end
+end

data/app/models/spree/search_provider/meilisearch.rb

@@ -20,84 +20,9 @@ module Spree
       def search_and_filter(scope:, query: nil, filters: {}, sort: nil, page: 1, limit: 25)
         page = [page.to_i, 1].max
         limit = limit.to_i.clamp(1, 100)
-        filters = filters.to_unsafe_h if filters.respond_to?(:to_unsafe_h)
-        filters = (filters || {}).stringify_keys
-
-        # Extract and group option values by option type for proper OR/AND semantics
-        option_value_ids = extract_and_delete(filters, 'with_option_value_ids')
-        grouped_options = group_option_values_by_type(Array(option_value_ids))
-
-        base_conditions = build_filters(filters)
-        option_conditions = build_grouped_option_conditions(grouped_options)
-        all_conditions = base_conditions + option_conditions
-
-        search_params = {
-          filter: all_conditions,
-          facets: facet_attributes,
-          sort: build_sort(sort),
-          offset: (page - 1) * limit,
-          limit: limit
-        }
-
-        Rails.logger.debug { "[Meilisearch] index=#{index_name} query=#{query.inspect} #{search_params.compact.inspect}" }
-
-        begin
-          if grouped_options.any?
-            # N+1 multi-search: 1 hit query + 1 disjunctive facet query per active option type
-            queries = [{ indexUid: index_name, q: query.to_s, **search_params }]
-            option_type_ids_ordered = grouped_options.keys
-            option_type_ids_ordered.each do |option_type_id|
-              without_this = build_grouped_option_conditions(grouped_options.except(option_type_id))
-              queries << { indexUid: index_name, q: query.to_s, filter: base_conditions + without_this, facets: ['option_value_ids'], limit: 0 }
-            end
-
-            results = client.multi_search(queries)
-            ms_result = results['results'][0]
-
-            # Merge disjunctive counts per option type.
-            # Each disjunctive query excluded one option type's filter.
-            # Use that query's full option_value_ids distribution for that option type's values,
-            # and the main query's distribution for everything else.
-            main_ov_dist = ms_result.dig('facetDistribution', 'option_value_ids') || {}
-
-            # Build a set of prefixed IDs per option type (including unselected values)
-            # by looking up which option type each option value belongs to.
-            all_ov_prefixed_ids = Set.new
-            disjunctive_dists = {}
-            results['results'][1..].each_with_index do |r, idx|
-              dist = r.dig('facetDistribution', 'option_value_ids') || {}
-              disjunctive_dists[option_type_ids_ordered[idx]] = dist
-              all_ov_prefixed_ids.merge(dist.keys)
-            end
 
-            # Resolve which prefixed IDs belong to which option type
-            all_raw_ids = all_ov_prefixed_ids.filter_map { |pid| Spree::OptionValue.decode_prefixed_id(pid) }
-            ov_to_type = Spree::OptionValue.where(id: all_raw_ids).pluck(:id, :option_type_id).to_h
-            prefixed_to_type = all_ov_prefixed_ids.each_with_object({}) do |pid, h|
-              raw = Spree::OptionValue.decode_prefixed_id(pid)
-              h[pid] = ov_to_type[raw] if raw
-            end
-
-            # Start with main query's distribution, overlay disjunctive counts for active option types
-            merged_ov_dist = main_ov_dist.dup
-            disjunctive_dists.each do |option_type_id, dist|
-              dist.each do |pid, count|
-                merged_ov_dist[pid] = count if prefixed_to_type[pid] == option_type_id
-              end
-            end
-
-            facet_distribution = (ms_result['facetDistribution'] || {}).merge('option_value_ids' => merged_ov_dist)
-          else
-            ms_result = client.index(index_name).search(query.to_s, search_params)
-            facet_distribution = ms_result['facetDistribution'] || {}
-          end
-        rescue ::Meilisearch::ApiError => e
-          Rails.logger.warn { "[Meilisearch] Search failed: #{e.message}. Run `rake spree:search:reindex` to initialize the index." }
-          Rails.error.report(e, handled: true, context: { index: index_name, query: query })
-          return empty_result(scope, page, limit)
-        end
-
-        Rails.logger.debug { "[Meilisearch] #{ms_result['estimatedTotalHits']} hits in #{ms_result['processingTimeMs']}ms" }
+        ms_result, _ = execute_search(query: query, filters: filters, sort: sort, page: page, limit: limit)
+        return empty_result(scope, page, limit) unless ms_result
 
         # Hits have composite prefixed_id (prod_abc_en_USD), extract product_id (prod_abc)
         product_prefixed_ids = ms_result['hits'].map { |h| h['product_id'] }.uniq
@@ -115,11 +40,28 @@ module Spree
 
         SearchResult.new(
           products: products,
+          total_count: ms_result['estimatedTotalHits'] || 0,
+          pagy: pagy
+        )
+      end
+
+      def filters(scope:, query: nil, filters: {})
+        ms_result, facet_distribution = execute_search(query: query, filters: filters, sort: nil, page: 1, limit: 0, return_facets: true)
+
+        unless ms_result
+          return FiltersResult.new(
+            filters: [],
+            sort_options: available_sort_options.map { |id| { id: id } },
+            default_sort: 'manual',
+            total_count: 0
+          )
+        end
+
+        FiltersResult.new(
           filters: build_facet_response(facet_distribution),
           sort_options: available_sort_options.map { |id| { id: id } },
           default_sort: 'manual',
-          total_count: ms_result['estimatedTotalHits'] || 0,
-          pagy: pagy
+          total_count: ms_result['estimatedTotalHits'] || 0
         )
       end
 
@@ -193,6 +135,84 @@ module Spree
 
       private
 
+      # Execute a Meilisearch query. Returns [ms_result, facet_distribution].
+      # facet_distribution is empty when return_facets is false. Returns nil on API error.
+      def execute_search(query:, filters:, sort:, page:, limit:, return_facets: false)
+        filters = filters.to_unsafe_h if filters.respond_to?(:to_unsafe_h)
+        filters = (filters || {}).stringify_keys
+
+        option_value_ids = extract_and_delete(filters, 'with_option_value_ids')
+        grouped_options = group_option_values_by_type(Array(option_value_ids))
+
+        base_conditions = build_filters(filters)
+        option_conditions = build_grouped_option_conditions(grouped_options)
+        all_conditions = base_conditions + option_conditions
+
+        search_params = {
+          filter: all_conditions,
+          facets: return_facets ? facet_attributes : nil,
+          sort: build_sort(sort),
+          offset: (page - 1) * limit,
+          limit: limit
+        }.compact
+
+        Rails.logger.debug { "[Meilisearch] index=#{index_name} query=#{query.inspect} #{search_params.compact.inspect}" }
+
+        begin
+          if return_facets && grouped_options.any?
+            queries = [{ indexUid: index_name, q: query.to_s, **search_params }]
+            option_type_ids_ordered = grouped_options.keys
+            option_type_ids_ordered.each do |option_type_id|
+              without_this = build_grouped_option_conditions(grouped_options.except(option_type_id))
+              queries << { indexUid: index_name, q: query.to_s, filter: base_conditions + without_this, facets: ['option_value_ids'], limit: 0 }
+            end
+
+            results = client.multi_search(queries)
+            ms_result = results['results'][0]
+            facet_distribution = merge_disjunctive_facets(ms_result, results['results'][1..], option_type_ids_ordered)
+          else
+            ms_result = client.index(index_name).search(query.to_s, search_params)
+            facet_distribution = ms_result['facetDistribution'] || {}
+          end
+        rescue ::Meilisearch::ApiError => e
+          Rails.logger.warn { "[Meilisearch] Search failed: #{e.message}. Run `rake spree:search:reindex` to initialize the index." }
+          Rails.error.report(e, handled: true, context: { index: index_name, query: query })
+          return nil
+        end
+
+        Rails.logger.debug { "[Meilisearch] #{ms_result['estimatedTotalHits']} hits in #{ms_result['processingTimeMs']}ms" }
+
+        [ms_result, facet_distribution]
+      end
+
+      def merge_disjunctive_facets(ms_result, disjunctive_results, option_type_ids_ordered)
+        main_ov_dist = ms_result.dig('facetDistribution', 'option_value_ids') || {}
+
+        all_ov_prefixed_ids = Set.new
+        disjunctive_dists = {}
+        disjunctive_results.each_with_index do |r, idx|
+          dist = r.dig('facetDistribution', 'option_value_ids') || {}
+          disjunctive_dists[option_type_ids_ordered[idx]] = dist
+          all_ov_prefixed_ids.merge(dist.keys)
+        end
+
+        all_raw_ids = all_ov_prefixed_ids.filter_map { |pid| Spree::OptionValue.decode_prefixed_id(pid) }
+        ov_to_type = Spree::OptionValue.where(id: all_raw_ids).pluck(:id, :option_type_id).to_h
+        prefixed_to_type = all_ov_prefixed_ids.each_with_object({}) do |pid, h|
+          raw = Spree::OptionValue.decode_prefixed_id(pid)
+          h[pid] = ov_to_type[raw] if raw
+        end
+
+        merged_ov_dist = main_ov_dist.dup
+        disjunctive_dists.each do |option_type_id, dist|
+          dist.each do |pid, count|
+            merged_ov_dist[pid] = count if prefixed_to_type[pid] == option_type_id
+          end
+        end
+
+        (ms_result['facetDistribution'] || {}).merge('option_value_ids' => merged_ov_dist)
+      end
+
       def presenter_class
         Spree::Dependencies.search_product_presenter_class
       end
@@ -436,9 +456,6 @@ module Spree
       def empty_result(scope, page, limit)
         SearchResult.new(
           products: scope.none,
-          filters: [],
-          sort_options: available_sort_options.map { |id| { id: id } },
-          default_sort: 'manual',
           total_count: 0,
           pagy: Pagy::Offset.new(count: 0, page: page, limit: limit)
         )

data/app/models/spree/search_provider/search_result.rb

@@ -1,5 +1,5 @@
 module Spree
   module SearchProvider
-    SearchResult = Struct.new(:products, :filters, :sort_options, :default_sort, :total_count, :pagy, keyword_init: true)
+    SearchResult = Struct.new(:products, :total_count, :pagy, keyword_init: true)
   end
 end

data/app/models/spree/shipment.rb

@@ -272,16 +272,22 @@ module Spree
     def manifest
       # Grouping by the ID means that we don't have to call out to the association accessor
       # This makes the grouping by faster because it results in less SQL cache hits.
-      inventory_units.group_by(&:variant_id).map do |_variant_id, units|
-        units.group_by(&:line_item_id).map do |_line_item_id, units|
+      inventory_units.group_by(&:variant_id).flat_map do |_variant_id, units|
+        units.group_by(&:line_item_id).filter_map do |_line_item_id, units|
+          line_item = units.first.line_item
+          # Defensively skip orphaned inventory units (line item destroyed
+          # without cascading) so a single bad row doesn't crash callers that
+          # rely on line_item being present (item_cost, item_weight, the admin
+          # shipment manifest view, etc.).
+          next if line_item.nil?
+
           states = {}
           units.group_by(&:state).each { |state, iu| states[state] = iu.sum(&:quantity) }
 
-          line_item = units.first.line_item
           variant = units.first.variant
           ManifestItem.new(line_item, variant, units.sum(&:quantity), states)
         end
-      end.flatten
+      end
     end
 
     def process_order_payments

data/app/models/spree/subscriber.rb

@@ -9,7 +9,7 @@ module Spree
   #
   # @example Basic subscriber
   #   class OrderCompletedNotifier < Spree::Subscriber
-  #     subscribes_to 'order.complete'
+  #     subscribes_to 'order.completed'
   #
   #     def call(event)
   #       order_id = event.payload['id']
@@ -19,7 +19,7 @@ module Spree
   #
   # @example Multi-event subscriber
   #   class OrderAuditLogger < Spree::Subscriber
-  #     subscribes_to 'order.complete', 'order.cancel', 'order.resume'
+  #     subscribes_to 'order.completed', 'order.canceled', 'order.resumed'
   #
   #     def call(event)
   #       AuditLog.create!(
@@ -41,11 +41,11 @@ module Spree
   #
   # @example Subscriber with method routing
   #   class PaymentSubscriber < Spree::Subscriber
-  #     subscribes_to 'payment.complete', 'payment.void', 'payment.refund'
+  #     subscribes_to 'payment.completed', 'payment.voided', 'refund.created'
   #
-  #     on 'payment.complete', :handle_complete
-  #     on 'payment.void', :handle_void
-  #     on 'payment.refund', :handle_refund
+  #     on 'payment.completed', :handle_complete
+  #     on 'payment.voided', :handle_void
+  #     on 'refund.created', :handle_refund
   #
   #     private
   #
@@ -64,7 +64,7 @@ module Spree
   #
   # @example Synchronous subscriber (runs immediately, not via ActiveJob)
   #   class CriticalOrderHandler < Spree::Subscriber
-  #     subscribes_to 'order.complete', async: false
+  #     subscribes_to 'order.completed', async: false
   #
   #     def call(event)
   #       # This runs synchronously
@@ -81,10 +81,10 @@ module Spree
       # @return [void]
       #
       # @example
-      #   subscribes_to 'order.complete'
-      #   subscribes_to 'order.complete', 'order.cancel'
+      #   subscribes_to 'order.completed'
+      #   subscribes_to 'order.completed', 'order.canceled'
       #   subscribes_to 'order.*'
-      #   subscribes_to 'order.complete', async: false
+      #   subscribes_to 'order.completed', async: false
       #
       def subscribes_to(*patterns, **options)
         @subscription_patterns ||= []
@@ -102,8 +102,8 @@ module Spree
       # @return [void]
       #
       # @example
-      #   on 'payment.complete', :handle_complete
-      #   on 'payment.void', :handle_void
+      #   on 'payment.completed', :handle_complete
+      #   on 'payment.voided', :handle_void
       #
       def on(pattern, method_name)
         @event_handlers ||= {}

data/app/presenters/spree/csv/formula_sanitizer.rb

@@ -0,0 +1,28 @@
+module Spree
+  module CSV
+    # Neutralizes CSV formula injection (CWE-1236 / OWASP "CSV Injection")
+    # by prefixing cells that would otherwise be evaluated as a formula
+    # when the exported file is opened in Excel, Google Sheets, LibreOffice,
+    # or Numbers.
+    #
+    # The leading apostrophe is the OWASP-recommended marker — spreadsheets
+    # render the cell as plain text without displaying the apostrophe.
+    module FormulaSanitizer
+      TRIGGERS = ["=", "+", "-", "@", "\t", "\r", "\n"].freeze
+
+      module_function
+
+      def cell(value)
+        return value unless value.is_a?(String)
+        return value if value.empty?
+        return value unless TRIGGERS.include?(value[0])
+
+        "'#{value}"
+      end
+
+      def row(values)
+        values.map { |v| cell(v) }
+      end
+    end
+  end
+end

data/app/services/spree/credit_cards/destroy.rb

@@ -1,41 +1,25 @@
 module Spree
   module CreditCards
+    # @deprecated Use card.destroy directly instead. Payment cleanup is now
+    #   handled by the before_destroy callback in Spree::PaymentSourceConcern.
+    #   This service will be removed in Spree 6.0.
     class Destroy
       prepend Spree::ServiceModule::Base
 
       def call(card:)
-        ApplicationRecord.transaction do
-          run :invalidate_payments
-          run :void_payments
-          run :destroy
-        end
-      end
-
-      protected
-
-      def invalidate_payments(card:)
-        payment_scope(card).checkout.each(&:invalidate!)
-
-        success(card: card)
-      end
+        Spree::Deprecation.warn(
+          "#{self.class.name} is deprecated and will be removed in Spree 6.0. " \
+          'Use card.destroy directly instead. Payment cleanup is now handled ' \
+          'automatically by the before_destroy callback in PaymentSourceConcern.',
+          caller_locations(2)
+        )
 
-      def void_payments(card:)
-        payment_scope(card).where.not(state: :checkout).each(&:void!)
-
-        success(card: card)
-      end
-
-      def destroy(card:)
         if card.destroy
           success(card: card)
         else
-          failure(card.errors.full_messages.to_sentance)
+          failure(card.errors.full_messages.to_sentence)
         end
       end
-
-      def payment_scope(card)
-        card.payments.valid.joins(:order).merge(Spree::Order.incomplete)
-      end
     end
   end
 end

data/app/services/spree/gift_cards/apply.rb

@@ -68,7 +68,11 @@ module Spree
         )
         payment_method.name ||= Spree.t(:store_credit_name)
         payment_method.active = true
-        payment_method.save! if payment_method.new_record?
+
+        if payment_method.new_record?
+          payment_method.stores << store unless payment_method.stores.include?(store)
+          payment_method.save!
+        end
 
         payment_method
       end

data/app/services/spree/imports/row_processors/base.rb

@@ -2,10 +2,14 @@ module Spree
   module Imports
     module RowProcessors
       class Base
-        def initialize(row)
+        def initialize(row, mappings: nil, schema_fields: nil)
           @row = row
           @import = row.import
-          @attributes = row.to_schema_hash
+          @attributes = if mappings && schema_fields
+                          build_schema_hash(row, mappings, schema_fields)
+                        else
+                          row.to_schema_hash
+                        end
         end
 
         attr_reader :row, :import, :attributes
@@ -13,6 +17,19 @@ module Spree
         def process!
           raise NotImplementedError, 'Subclasses must implement the process! method'
         end
+
+        private
+
+        def build_schema_hash(row, mappings, schema_fields)
+          attributes = {}
+          schema_fields.each do |field|
+            mapping = mappings.find { |m| m.schema_field == field[:name] }
+            next unless mapping&.mapped?
+
+            attributes[field[:name]] = row.data_json[mapping.file_column]
+          end
+          attributes
+        end
       end
     end
   end

data/app/services/spree/imports/row_processors/product_translation.rb

@@ -4,7 +4,7 @@ module Spree
       class ProductTranslation < Base
         TRANSLATABLE_FIELDS = %w[name description meta_title meta_description].freeze
 
-        def initialize(row)
+        def initialize(row, **)
           super
           @store = row.store
         end

data/app/services/spree/imports/row_processors/product_variant.rb

@@ -4,7 +4,7 @@ module Spree
       class ProductVariant < Base
         OPTION_TYPES_COUNT = 3
 
-        def initialize(row)
+        def initialize(row, **)
           super
           @store = row.store
           @product = ensure_product_exists

data/app/services/spree/payments/handle_webhook.rb

@@ -28,21 +28,20 @@ module Spree
 
       private
 
+      # `Spree::Payment#confirm!` honors the payment method's `auto_capture?` setting:
+      # auto_capture → complete! + capture_event; otherwise → pend! (auth-only, payment_state=balance_due).
       def handle_success(payment_session, order, metadata)
         order.with_lock do
-          # Ensure payment record exists
-          payment = payment_session.find_or_create_payment!(metadata)
-
-          # Mark payment as completed — the webhook confirms the gateway processed it
-          if payment.present? && !payment.completed?
-            payment.started_processing! if payment.checkout?
-            payment.complete! if payment.can_complete?
+          # Idempotency: if the session was already completed (by the API
+          # endpoint or a previous webhook), skip duplicate processing.
+          if payment_session.reload.completed?
+            return success(payment_session)
           end
 
-          # Mark session as completed
+          payment = payment_session.find_or_create_payment!(metadata)
+          payment.confirm! if payment.present? && !payment.completed?
           payment_session.complete if payment_session.can_complete?
 
-          # Complete order if not already done
           unless order.reload.completed?
             Spree::Dependencies.carts_complete_service.constantize.call(cart: order)
           end

data/app/subscribers/spree/event_log_subscriber.rb

@@ -9,32 +9,34 @@ module Spree
   # Rails.application.config.filter_parameters.
   #
   # @example Output
-  #   [Spree Event] order.complete | payload: {"id"=>1} | 0.5ms
+  #   [Spree Event] order.completed | payload: {"id"=>1} | 0.5ms
   #
   class EventLogSubscriber
     NAMESPACE = 'spree'
 
     class << self
       def attach_to_notifications
-        # Always detach first to ensure clean state after code reload
+        # Always detach first to ensure clean state after code reload.
+        # The subscription reference is stored on Spree::Events (in lib/, not
+        # reloaded by Zeitwerk) so repeated reloads in development do not leak
+        # stale AS::N subscriptions when this class is reloaded.
         detach_from_notifications
 
-        @subscription = ActiveSupport::Notifications.subscribe(/\.#{NAMESPACE}$/) do |name, start, finish, _id, payload|
+        Spree::Events.log_subscription = ActiveSupport::Notifications.subscribe(/\.#{NAMESPACE}$/) do |name, start, finish, _id, payload|
           log_event(name, start, finish, payload)
         end
 
-        @attached = true
         Rails.logger.info "[Spree Events] Event logging enabled"
       end
 
       def detach_from_notifications
-        ActiveSupport::Notifications.unsubscribe(@subscription) if @subscription
-        @subscription = nil
-        @attached = false
+        subscription = Spree::Events.log_subscription
+        ActiveSupport::Notifications.unsubscribe(subscription) if subscription
+        Spree::Events.log_subscription = nil
       end
 
       def attached?
-        @attached || false
+        !Spree::Events.log_subscription.nil?
       end
 
       private