Merge pull request #13830 from mkllnk/highline

Bump highline from 2.0.3 to 3.1.2 to support newer rubies

.codeclimate.yml

@@ -1,56 +0,0 @@
-version: "2"
-plugins:
-  rubocop:
-    enabled: true
-    channel: "rubocop-1-12"
-    config:
-      file: ".rubocop.yml"
-  scss-lint:
-    enabled: true
-    checks:
-      ImportantRule:
-        enabled: false
-      VendorPrefix:
-        enabled: false
-      LeadingZero:
-        enabled: false
-      PropertySortOrder:
-        enabled: false
-      StringQuotes:
-        enabled: false
-      DeclarationOrder:
-        enabled: false
-      NestingDepth:
-        enabled: false
-
-  duplication:
-    enabled: true
-    exclude_patterns:
-    - "db/**"
-    - "config/initializers/active_record_postgresql_referential_integrity_patch.rb"
-checks:
-  argument-count:
-    enabled: false
-  complex-logic:
-    enabled: false
-  file-lines:
-    enabled: false
-  method-complexity:
-    enabled: false
-  method-count:
-    enabled: false
-  method-lines:
-    enabled: false
-  nested-control-flow:
-    enabled: false
-  return-statements:
-    enabled: false
-  similar-code:
-    enabled: false
-  identical-code:
-    enabled: false
-exclude_patterns:
-- "spec/**/*"
-- "vendor/**/*"
-- "app/assets/javascripts/shared/*"
-- "app/assets/javascripts/jquery-migrate-1.0.0.js"

.env.test

@@ -20,7 +20,6 @@ STRIPE_INSTANCE_SECRET_KEY="bogus_key"
 STRIPE_CUSTOMER="bogus_customer"
 STRIPE_ACCOUNT="bogus_account"
 STRIPE_CLIENT_ID="bogus_client_id"
-STRIPE_PUBLIC_TEST_API_KEY="bogus_stripe_publishable_key"
 
 SITE_URL="test.host"
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,4 +1,4 @@
-#### What? Why?
+## What? Why?
 
 - Closes # <!-- Insert issue number here. -->
 
@@ -7,7 +7,7 @@
 
 
 
-#### What should we test?
+## What should we test?
 <!-- List which features should be tested and how.
      This can be similar to the Steps to Reproduce in the issue.
      Also think of other parts of the app which could be affected
@@ -16,7 +16,7 @@
 - Visit ... page.
 - 
 
-#### Release notes
+## Release notes
 
 <!-- Please select one for your PR and delete the other. -->
 
@@ -33,12 +33,12 @@ Changelog Category (reviewers may add a label for the release notes):
 The title of the pull request will be included in the release notes.
 
 
-#### Dependencies
+## Dependencies
 <!-- Does this PR depend on another one?
      Add the link or remove this section. -->
 
 
 
-#### Documentation updates
+## Documentation updates
 <!-- Are there any wiki pages that need updating after merging this PR?
      List them here or remove this section. -->

.github/dependabot.yml

@@ -4,7 +4,28 @@
 # Most of the configuration here is not used for security updates though.
 
 version: 2
+
+multi-ecosystem-groups:
+  turbo_power:
+    schedule:
+      interval: "daily"
+
 updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    patterns: ["turbo_power"]
+    multi-ecosystem-group: "turbo_power"
+
+    # Only specific requirements are specified in Gemfile, so don't touch it.
+    versioning-strategy: lockfile-only
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    patterns: ["turbo_power"]
+    multi-ecosystem-group: "turbo_power"
+
+    # Only specific requirements are specified in package.json, so don't touch it.
+    versioning-strategy: lockfile-only
 
   - package-ecosystem: "bundler"
     directory: "/"
@@ -19,5 +40,5 @@ updates:
     schedule:
       interval: "daily"
 
-    # All versions are specified in package.json, so please update them.
-    versioning-strategy: increase
+    # Only specific requirements are specified in package.json, so don't touch it.
+    versioning-strategy: lockfile-only

.github/workflows/linters.yml

@@ -1,10 +1,10 @@
 name: Linters
-on: [push, pull_request]
+on: [pull_request]
 permissions:
   contents: read # to fetch code (actions/checkout)
 jobs:
   lint:
-    name: prettier and rubocop
+    name: reviewdog
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -21,21 +21,10 @@ jobs:
 
       - run: git show --no-patch # the commit being tested (which is often a merge due to actions/checkout@v3)
 
-      - name: prettier
-        uses: EPMatt/reviewdog-action-prettier@v1
+      - uses: reviewdog/action-setup@v1
         with:
-          github_token: ${{ secrets.github_token }}
-          reporter: github-pr-check
-          level: error
-          fail_on_error: true
+          reviewdog_version: v0.21.0
 
-      - name: rubocop
-        uses: reviewdog/action-rubocop@v2
-        with:
-          rubocop_version: gemfile
-          rubocop_extensions: rubocop-rails:gemfile rubocop-rspec:gemfile
-          reporter: github-pr-check
-          level: error
-          filter_mode: nofilter
-          use_bundler: true
-          fail_level: any
+      - run: ./script/reviewdog.sh
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.github_token }}

.haml-lint.yml

@@ -2,19 +2,12 @@
 # frameworks such as Jekyll/Middleman
 skip_frontmatter: false
 
+inherits_from: .haml-lint_todo.yml
+
 linters:
   AltText:
     enabled: false
 
-  ClassAttributeWithStaticValue:
-    enabled: true
-
-  ClassesBeforeIds:
-    enabled: true
-
-  ConsecutiveComments:
-    enabled: true
-
   ConsecutiveSilentScripts:
     enabled: true
     max_consecutive: 2
@@ -32,7 +25,6 @@ linters:
     enabled: true
 
   LineLength:
-    enabled: true
     max: 80
 
   MultilinePipe:
@@ -47,24 +39,11 @@ linters:
   RuboCop:
     enabled: false
 
-  RubyComments:
-    enabled: true
-
-  SpaceBeforeScript:
-    enabled: true
-
   SpaceInsideHashAttributes:
-    enabled: true
     style: no_space
 
   TagName:
     enabled: true
 
-  TrailingWhitespace:
-    enabled: true
-
   UnnecessaryInterpolation:
     enabled: true
-
-  UnnecessaryStringOutput:
-    enabled: true

.haml-lint_todo.yml

@@ -0,0 +1,153 @@
+# This configuration was generated by
+# `haml-lint --auto-gen-config`
+# on 2025-10-30 09:19:50 +0100 using Haml-Lint version 0.66.0.
+# The point is for the user to remove these configuration records
+# one by one as the lints are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of Haml-Lint, may require this file to be generated again.
+
+linters:
+
+  # Offense count: 35
+  ClassAttributeWithStaticValue:
+    enabled: false
+
+  # Offense count: 77
+  ClassesBeforeIds:
+    enabled: false
+
+  # Offense count: 18
+  ConsecutiveComments:
+    enabled: false
+
+  # Offense count: 22
+  ConsecutiveSilentScripts:
+    exclude:
+      - "app/views/admin/contents/_fieldset.html.haml"
+      - "app/views/admin/enterprises/form/_tag_rules.html.haml"
+      - "app/views/admin/order_cycles/edit.html.haml"
+      - "app/views/admin/products_v3/product_preview.turbo_stream.haml"
+      - "app/views/admin/reports/_date_range_form.html.haml"
+      - "app/views/checkout/_details.html.haml"
+      - "app/views/checkout/_payment.html.haml"
+      - "app/views/spree/admin/adjustments/_adjustments_table.html.haml"
+      - "app/views/spree/admin/orders/customer_details/_address_form.html.haml"
+      - "app/views/spree/admin/tax_categories/index.html.haml"
+      - "app/views/spree/admin/users/index.html.haml"
+
+  # Offense count: 14
+  FinalNewline:
+    exclude:
+      - "app/assets/javascripts/templates/shared/question_mark_with_tooltip.html.haml"
+      - "app/views/admin/enterprises/form/_social.html.haml"
+      - "app/views/admin/json/_injection_ams.html.haml"
+      - "app/views/admin/order_cycles/_date_time_warning_modal_content.html.haml"
+      - "app/views/admin/order_cycles/edit.html.haml"
+      - "app/views/admin/product_import/_ams_data.html.haml"
+      - "app/views/admin/reports/_row_group.haml"
+      - "app/views/admin/reports/filters/_enterprise_fee_summary.html.haml"
+      - "app/views/admin/reports/filters/_users_and_enterprises.html.haml"
+      - "app/views/shop/_blocked_cookies.html.haml"
+      - "app/views/spree/admin/orders/_invoice/_order_note.html.haml"
+      - "app/views/spree/admin/orders/invoice4.html.haml"
+      - "app/views/spree/admin/taxons/destroy_taxon.turbo_stream.haml"
+      - "app/views/spree/admin/users/_email_confirmation.html.haml"
+
+  # Offense count: 130
+  IdNames:
+    enabled: false
+
+  # Offense count: 5
+  Indentation:
+    exclude:
+      - "app/views/admin/products_v3/clone.turbo_stream.haml"
+      - "app/views/admin/products_v3/destroy_product_variant.turbo_stream.haml"
+      - "app/views/spree/admin/taxons/destroy_taxon.turbo_stream.haml"
+
+  # Offense count: 191
+  InlineStyles:
+    enabled: false
+
+  # Offense count: 589
+  InstanceVariables:
+    enabled: false
+
+  # Offense count: 2
+  LeadingCommentSpace:
+    exclude:
+      - "app/views/admin/reports/_row_group.haml"
+
+  # Offense count: 2331
+  LineLength:
+    enabled: false
+
+  # Offense count: 1
+  MultilinePipe:
+    exclude:
+      - "app/views/admin/reports/_rendering_options.html.haml"
+
+  # Offense count: 2
+  MultilineScript:
+    exclude:
+      - "app/views/admin/products_v3/product_preview.turbo_stream.haml"
+      - "app/views/checkout/_voucher_section.html.haml"
+
+  # Offense count: 2
+  RepeatedId:
+    exclude:
+      - "app/assets/javascripts/templates/admin/save_bar.html.haml"
+
+  # Offense count: 24
+  RubyComments:
+    enabled: false
+
+  # Offense count: 104
+  SpaceBeforeScript:
+    enabled: false
+
+  # Offense count: 3345
+  SpaceInsideHashAttributes:
+    enabled: false
+
+  # Offense count: 22
+  TrailingEmptyLines:
+    enabled: false
+
+  # Offense count: 73
+  TrailingWhitespace:
+    enabled: false
+
+  # Offense count: 13
+  UnnecessaryInterpolation:
+    exclude:
+      - "app/components/example_component/example_component.html.haml"
+      - "app/views/admin/product_import/_entries_table.html.haml"
+      - "app/views/admin/product_import/import.html.haml"
+      - "app/views/admin/variant_overrides/_filters.html.haml"
+      - "app/views/registration/steps/_introduction.html.haml"
+      - "app/views/spree/order_mailer/_shipping.html.haml"
+      - "app/views/spree/order_mailer/invoice_email.html.haml"
+      - "app/views/spree/shared/_shipment_delivery_details.html.haml"
+      - "app/views/spree/shared/_shipment_pickup_details.html.haml"
+
+  # Offense count: 68
+  UnnecessaryStringOutput:
+    enabled: false
+
+  # Offense count: 14
+  ViewLength:
+    exclude:
+      - "app/assets/javascripts/templates/admin/panels/enterprise_package.html.haml"
+      - "app/views/admin/customers/index.html.haml"
+      - "app/views/admin/enterprises/_new_form.html.haml"
+      - "app/views/admin/enterprises/form/_shop_preferences.html.haml"
+      - "app/views/admin/product_import/_import_review.html.haml"
+      - "app/views/admin/products_v3/product_preview.turbo_stream.haml"
+      - "app/views/checkout/_details.html.haml"
+      - "app/views/groups/show.html.haml"
+      - "app/views/producer_mailer/order_cycle_report.html.haml"
+      - "app/views/shared/_footer.html.haml"
+      - "app/views/spree/admin/orders/bulk_management.html.haml"
+      - "app/views/spree/admin/orders/invoice4.html.haml"
+      - "app/views/spree/admin/products/new.html.haml"
+      - "app/views/spree/admin/variants/_form.html.haml"

.hound.yml

@@ -1,6 +0,0 @@
-rubocop:
-  config_file: .rubocop_styleguide.yml
-scss:
-  config_file: .scss-lint.yml
-haml:
-  config_file: .haml-lint.yml

.node-version

@@ -1 +1 @@
-17.9.1
+24.10.0

.rubocop.yml

@@ -4,7 +4,7 @@
 #
 # The configuration is split into three files. Look into those files for more details.
 #
-require:
+plugins:
   - rubocop-capybara
   - rubocop-factory_bot
   - rubocop-rails

.rubocop_styleguide.yml

@@ -94,7 +94,7 @@ Metrics/PerceivedComplexity:
   Enabled: true
   Max: 14 # default 8
 
-Naming/PredicateName:
+Naming/PredicatePrefix:
   Enabled: false
 
 Naming/VariableNumber:

.rubocop_todo.yml

@@ -1,11 +1,44 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --exclude-limit 1400 --no-auto-gen-timestamp`
-# using RuboCop version 1.64.1.
+# using RuboCop version 1.81.7.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: RequireParenthesesForMethodChains.
+Lint/AmbiguousRange:
+  Exclude:
+    - 'app/models/concerns/permalink_generator.rb'
+
+# Offense count: 6
+Lint/CopDirectiveSyntax:
+  Exclude:
+    - 'app/services/orders/bulk_cancel_service.rb'
+    - 'lib/tasks/simplecov.rake'
+    - 'spec/models/database_spec.rb'
+    - 'spec/system/admin/bulk_order_management_spec.rb'
+    - 'spec/system/admin/enterprise_relationships_spec.rb'
+
+# Offense count: 2
+Lint/DuplicateMethods:
+  Exclude:
+    - 'app/models/spree/order.rb'
+    - 'engines/order_management/app/services/order_management/subscriptions/form.rb'
+
+# Offense count: 3
+Lint/UselessConstantScoping:
+  Exclude:
+    - 'app/services/weights_and_measures.rb'
+    - 'lib/reporting/report_metadata_builder.rb'
+
+# Offense count: 1
+Lint/UselessOr:
+  Exclude:
+    - 'app/models/product_import/entry_validator.rb'
+
 # Offense count: 24
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes, Max.
 Metrics/AbcSize:
@@ -42,12 +75,12 @@ Metrics/BlockLength:
     - 'lib/tasks/data.rake'
 
 # Offense count: 1
-# Configuration parameters: CountBlocks, Max.
+# Configuration parameters: CountBlocks, CountModifierForms, Max.
 Metrics/BlockNesting:
   Exclude:
     - 'app/models/spree/payment/processing.rb'
 
-# Offense count: 48
+# Offense count: 49
 # Configuration parameters: CountComments, Max, CountAsOne.
 Metrics/ClassLength:
   Exclude:
@@ -89,6 +122,7 @@ Metrics/ClassLength:
     - 'app/services/order_cycles/form_service.rb'
     - 'app/services/orders/sync_service.rb'
     - 'app/services/permissions/order.rb'
+    - 'app/services/products_renderer.rb'
     - 'app/services/sets/product_set.rb'
     - 'engines/order_management/app/services/order_management/order/updater.rb'
     - 'lib/open_food_network/enterprise_fee_calculator.rb'
@@ -100,7 +134,7 @@ Metrics/ClassLength:
     - 'lib/reporting/reports/enterprise_fee_summary/scope.rb'
     - 'lib/reporting/reports/xero_invoices/base.rb'
 
-# Offense count: 30
+# Offense count: 37
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/CyclomaticComplexity:
   Exclude:
@@ -123,6 +157,11 @@ Metrics/CyclomaticComplexity:
     - 'app/models/spree/tax_rate.rb'
     - 'app/models/spree/zone.rb'
     - 'lib/open_food_network/enterprise_issue_validator.rb'
+    - 'lib/reporting/reports/orders_and_fulfillment/order_cycle_customer_totals.rb'
+    - 'lib/reporting/reports/orders_and_fulfillment/order_cycle_supplier_totals.rb'
+    - 'lib/reporting/reports/payments/itemised_payment_totals.rb'
+    - 'lib/reporting/reports/payments/payment_totals.rb'
+    - 'lib/reporting/reports/sales_tax/sales_tax_totals_by_producer.rb'
     - 'lib/reporting/reports/xero_invoices/base.rb'
     - 'lib/spree/core/controller_helpers/order.rb'
     - 'lib/spree/core/controller_helpers/respond_with.rb'
@@ -182,8 +221,9 @@ Metrics/PerceivedComplexity:
     - 'app/models/spree/order/checkout.rb'
 
 # Offense count: 1
-# Configuration parameters: EnforcedStyle, AllowedPatterns.
+# Configuration parameters: EnforcedStyle, AllowedPatterns, ForbiddenIdentifiers, ForbiddenPatterns.
 # SupportedStyles: snake_case, camelCase
+# ForbiddenIdentifiers: __id__, __send__
 Naming/MethodName:
   Exclude:
     - 'engines/dfc_provider/lib/dfc_provider/catalog_item.rb'
@@ -195,23 +235,150 @@ Naming/MethodParameterName:
   Exclude:
     - 'engines/dfc_provider/lib/dfc_provider/catalog_item.rb'
 
+# Offense count: 60
+# Configuration parameters: Mode, AllowedMethods, AllowedPatterns, AllowBangMethods, WaywardPredicates.
+# AllowedMethods: call
+# WaywardPredicates: nonzero?
+Naming/PredicateMethod:
+  Exclude:
+    - 'app/controllers/admin/product_import_controller.rb'
+    - 'app/controllers/api/v0/order_cycles_controller.rb'
+    - 'app/controllers/spree/admin/overview_controller.rb'
+    - 'app/controllers/spree/admin/payments_controller.rb'
+    - 'app/controllers/voucher_adjustments_controller.rb'
+    - 'app/forms/enterprise_fees_bulk_update.rb'
+    - 'app/forms/schedule_form.rb'
+    - 'app/helpers/spree/orders_helper.rb'
+    - 'app/models/concerns/variant_stock.rb'
+    - 'app/models/enterprise.rb'
+    - 'app/models/enterprise_fee.rb'
+    - 'app/models/invoice/data_presenter.rb'
+    - 'app/models/order_cycle.rb'
+    - 'app/models/product_import/entry_processor.rb'
+    - 'app/models/product_import/entry_validator.rb'
+    - 'app/models/spree/order.rb'
+    - 'app/models/spree/order_contents.rb'
+    - 'app/models/spree/payment.rb'
+    - 'app/models/spree/payment/processing.rb'
+    - 'app/models/spree/state_change.rb'
+    - 'app/models/spree/user.rb'
+    - 'app/reflexes/admin/orders_reflex.rb'
+    - 'app/serializers/api/admin/for_order_cycle/enterprise_serializer.rb'
+    - 'app/serializers/api/admin/index_enterprise_serializer.rb'
+    - 'app/serializers/api/admin/index_order_cycle_serializer.rb'
+    - 'app/serializers/api/admin/order_cycle_serializer.rb'
+    - 'app/serializers/api/admin/order_serializer.rb'
+    - 'app/serializers/api/admin/schedule_serializer.rb'
+    - 'app/serializers/api/admin/subscription_line_item_serializer.rb'
+    - 'app/serializers/api/admin/user_serializer.rb'
+    - 'app/serializers/api/admin/variant_serializer.rb'
+    - 'app/serializers/api/enterprise_shopfront_serializer.rb'
+    - 'app/serializers/api/enterprise_thin_serializer.rb'
+    - 'app/serializers/api/order_serializer.rb'
+    - 'app/serializers/api/uncached_enterprise_serializer.rb'
+    - 'app/services/cart_service.rb'
+    - 'app/services/orders/fetch_adjustments_service.rb'
+    - 'app/services/orders/workflow_service.rb'
+    - 'app/services/sets/model_set.rb'
+    - 'app/services/sets/order_cycle_set.rb'
+    - 'app/services/sets/product_set.rb'
+    - 'engines/dfc_provider/app/controllers/dfc_provider/addresses_controller.rb'
+    - 'lib/open_food_network/order_cycle_form_applicator.rb'
+    - 'lib/open_food_network/order_cycle_permissions.rb'
+    - 'lib/reporting/reports/enterprise_fee_summary/enterprise_fees_with_tax_report_by_order.rb'
+    - 'lib/reporting/reports/enterprise_fee_summary/enterprise_fees_with_tax_report_by_producer.rb'
+    - 'lib/tasks/data/check_invalid_address_used.rake'
+
 # Offense count: 3
-# Configuration parameters: EnforcedStyle, AllowedIdentifiers, AllowedPatterns.
+# Configuration parameters: EnforcedStyle, AllowedIdentifiers, AllowedPatterns, ForbiddenIdentifiers, ForbiddenPatterns.
 # SupportedStyles: snake_case, camelCase
 Naming/VariableName:
   Exclude:
     - 'engines/dfc_provider/lib/dfc_provider/catalog_item.rb'
 
+# Offense count: 6
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Rails/FindByOrAssignmentMemoization:
+  Exclude:
+    - 'app/controllers/admin/customers_controller.rb'
+    - 'app/controllers/admin/resource_controller.rb'
+    - 'app/controllers/api/v0/enterprise_fees_controller.rb'
+    - 'app/controllers/api/v0/order_cycles_controller.rb'
+    - 'lib/stripe/account_connector.rb'
+
+# Offense count: 32
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Rails/OrderArguments:
+  Exclude:
+    - 'app/controllers/admin/enterprise_fees_controller.rb'
+    - 'app/controllers/admin/enterprises_controller.rb'
+    - 'app/controllers/admin/order_cycles_controller.rb'
+    - 'app/controllers/admin/product_import_controller.rb'
+    - 'app/controllers/api/v0/states_controller.rb'
+    - 'app/controllers/spree/admin/overview_controller.rb'
+    - 'app/controllers/spree/admin/products_controller.rb'
+    - 'app/helpers/enterprises_helper.rb'
+    - 'app/models/enterprise.rb'
+    - 'app/models/enterprise_group.rb'
+    - 'app/models/enterprise_relationship_permission.rb'
+    - 'app/models/order_cycle.rb'
+    - 'app/models/product_import/product_importer.rb'
+    - 'app/models/schedule.rb'
+    - 'app/models/spree/country.rb'
+    - 'app/models/spree/order.rb'
+    - 'app/models/spree/shipping_rate.rb'
+    - 'app/models/spree/user.rb'
+    - 'app/models/spree/zone.rb'
+    - 'app/models/subscription_line_item.rb'
+    - 'app/models/tag_rule.rb'
+    - 'app/models/variant_override.rb'
+    - 'lib/open_food_network/address_finder.rb'
+    - 'spec/services/orders/generate_invoice_service_spec.rb'
+    - 'spec/system/admin/order_cycles/simple_spec.rb'
+
+# Offense count: 3
+# This cop supports safe autocorrection (--autocorrect).
+Rails/Presence:
+  Exclude:
+    - 'app/controllers/admin/enterprises_controller.rb'
+    - 'app/models/spree/product.rb'
+
+# Offense count: 6
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: Severity.
+Rails/RedirectBackOrTo:
+  Exclude:
+    - 'app/controllers/admin/order_cycles_controller.rb'
+    - 'app/controllers/locales_controller.rb'
+    - 'app/controllers/spree/admin/invoices_controller.rb'
+    - 'app/controllers/spree/admin/orders_controller.rb'
+    - 'app/controllers/spree/admin/return_authorizations_controller.rb'
+
 # Offense count: 1
 # Configuration parameters: TransactionMethods.
 Rails/TransactionExitStatement:
   Exclude:
     - 'app/services/place_proxy_order.rb'
 
+# Offense count: 3
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/ArrayIntersect:
+  Exclude:
+    - 'app/models/spree/ability.rb'
+    - 'app/models/spree/variant.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/BitwisePredicate:
+  Exclude:
+    - 'app/helpers/admin/enterprises_helper.rb'
+
 # Offense count: 23
 # This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle.
+# Configuration parameters: EnforcedStyle, EnforcedStyleForClasses, EnforcedStyleForModules.
 # SupportedStyles: nested, compact
+# SupportedStylesForClasses: ~, nested, compact
+# SupportedStylesForModules: ~, nested, compact
 Style/ClassAndModuleChildren:
   Exclude:
     - 'app/models/calculator/flat_percent_per_item.rb'
@@ -237,13 +404,33 @@ Style/ClassAndModuleChildren:
     - 'lib/open_food_network/locking.rb'
     - 'spec/models/spree/payment_method_spec.rb'
 
-# Offense count: 4
+# Offense count: 14
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/CollectionQuerying:
+  Exclude:
+    - 'app/controllers/spree/credit_cards_controller.rb'
+    - 'app/models/product_import/product_importer.rb'
+    - 'app/models/product_import/spreadsheet_entry.rb'
+    - 'app/models/spree/order.rb'
+    - 'app/models/spree/order_inventory.rb'
+    - 'app/models/spree/payment_method.rb'
+    - 'app/models/spree/user.rb'
+    - 'app/models/stripe_account.rb'
+    - 'app/services/order_cycles/warning_service.rb'
+    - 'lib/reporting/report_renderer.rb'
+    - 'lib/tasks/sample_data.rake'
+
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/HashSlice:
+  Exclude:
+    - 'app/services/product_filters.rb'
+    - 'lib/reporting/report_row_builder.rb'
+
+# Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Style/MapToHash:
   Exclude:
-    - 'lib/reporting/report_query_template.rb'
-    - 'lib/reporting/report_row_builder.rb'
-    - 'lib/reporting/reports/enterprise_fee_summary/fee_summary.rb'
     - 'lib/tasks/sample_data/user_factory.rb'
 
 # Offense count: 38
@@ -274,3 +461,22 @@ Style/OptionalBooleanParameter:
     - 'engines/order_management/app/services/order_management/stock/estimator.rb'
     - 'lib/spree/core/controller_helpers/order.rb'
     - 'spec/support/request/web_helper.rb'
+
+# Offense count: 3
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/RedundantFormat:
+  Exclude:
+    - 'spec/models/product_importer_spec.rb'
+    - 'spec/requests/checkout/stripe_sca_spec.rb'
+    - 'spec/system/consumer/account/cards_spec.rb'
+
+# Offense count: 8
+# Configuration parameters: Max.
+Style/SafeNavigationChainLength:
+  Exclude:
+    - 'app/controllers/concerns/extra_fields.rb'
+    - 'app/services/customer_syncer.rb'
+    - 'app/services/fdc_offer_broker.rb'
+    - 'engines/dfc_provider/app/services/dfc_catalog.rb'
+    - 'engines/dfc_provider/app/services/image_builder.rb'
+    - 'engines/dfc_provider/app/services/quantitative_value_builder.rb'

.ruby-version

@@ -1 +1 @@
-3.1.4
+3.2.9

.scss-lint.yml

@@ -1,19 +0,0 @@
-scss_files: 'app/assets/stylesheets/**/*.css.scss'
-
-exclude: 'app/assets/stylesheets/shared/**'
-
-linters:
-  ImportantRule:
-    enabled: false
-    VendorPrefix:
-      enabled: false
-    LeadingZero:
-      enabled: false
-    PropertySortOrder:
-      enabled: false
-    StringQuotes:
-      enabled: false
-    DeclarationOrder:
-      enabled: false
-    NestingDepth:
-      enabled: false

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.1.4-alpine3.19 AS base
+FROM ruby:3.2.9-alpine3.19 AS base
 ENV LANG=C.UTF-8 \
     LC_ALL=C.UTF-8 \
     TZ=Europe/London \

Gemfile

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-source 'https://rubygems.org'
+source 'https://gem.coop'
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
 
 ruby File.read('.ruby-version').chomp
@@ -14,8 +14,8 @@ gem "active_storage_validations"
 gem "aws-sdk-s3", require: false
 gem "image_processing"
 
-gem 'activemerchant', '>= 1.78.0'
-gem 'angular-rails-templates', '>= 0.3.0'
+gem 'activemerchant'
+gem 'angular-rails-templates'
 gem 'ransack', '~> 4.1.0'
 gem 'responders'
 gem 'webpacker', '~> 5'
@@ -27,7 +27,6 @@ gem 'sprockets', '~> 3.7'
 gem 'i18n'
 gem 'i18n-js', '~> 3.9.0'
 gem 'rails-i18n'
-gem 'rails_safe_tasks', '~> 1.0'
 
 gem "activerecord-import"
 gem "db2fog", github: "openfoodfoundation/db2fog", branch: "rails-7"
@@ -44,13 +43,13 @@ gem 'web', path: './engines/web'
 
 gem "activerecord-postgresql-adapter"
 gem "arel-helpers", "~> 2.12"
-gem "pg", "~> 1.2.3"
+gem "pg"
 
 gem 'acts_as_list', '1.0.4'
 gem 'cancancan', '~> 1.15.0'
 gem 'digest'
 gem 'ffaker'
-gem 'highline', '2.0.3' # Necessary for the install generator
+gem 'highline'
 gem 'json'
 gem 'monetize', '~> 1.11'
 gem 'paranoia', '~> 2.4'
@@ -58,7 +57,7 @@ gem 'state_machines-activerecord'
 gem 'stringex', '~> 2.8.5', require: false
 
 gem 'paypal-sdk-merchant', '1.117.2'
-gem 'stripe'
+gem 'stripe', '~> 15'
 
 gem 'devise'
 gem 'devise-encryptable'
@@ -186,16 +185,19 @@ group :test do
 end
 
 group :development do
-  gem 'debugger-linecache'
   gem 'foreman'
+  gem 'haml_lint', require: false
   gem 'i18n-tasks'
   gem 'listen'
-  gem 'pry', '~> 0.13.0'
+  gem 'pry'
   gem 'query_count'
   gem 'rails-erd'
   gem 'rubocop'
+  gem 'rubocop-capybara'
+  gem 'rubocop-factory_bot'
   gem 'rubocop-rails'
   gem 'rubocop-rspec'
+  gem 'rubocop-rspec_rails'
   gem 'spring'
   gem 'spring-commands-rspec'
   gem 'spring-commands-rubocop'

app/assets/javascripts/admin/customers/controllers/customers_controller.js.coffee

@@ -11,6 +11,9 @@ angular.module("admin.customers").controller "customersCtrl", ($scope, $q, $filt
   $scope.confirmRefresh = (event) ->
     event.preventDefault() unless pendingChanges.unsavedCount() == 0 || confirm(t("unsaved_changes_warning"))
 
+  $scope.hasUnsavedChanges = ->
+    pendingChanges.yes()
+
   $scope.$watch "shop_id", ->
     if $scope.shop_id?
       CurrentShop.shop = $filter('filter')($scope.shops, {id: parseInt($scope.shop_id)}, true)[0]

app/assets/javascripts/admin/index_utils/directives/obj_for_update.js.coffee

@@ -4,15 +4,16 @@ angular.module("admin.indexUtils").directive "objForUpdate", (switchClass, pendi
     type: "@objForUpdate"
     attr: "@attrForUpdate"
   link: (scope, element, attrs) ->
-    scope.savedValue = scope.object()[scope.attr]
+    scope.savedValue = scope.object()[scope.attr] || ""
 
     scope.$watch "object().#{scope.attr}", (value) ->
-      if value == scope.savedValue
+      strValue = value || ""
+      if strValue == scope.savedValue
         pendingChanges.remove(scope.object().id, scope.attr)
         scope.clear()
       else
         scope.pending()
-        addPendingChange(scope.attr, value ? "")
+        addPendingChange(scope.attr, strValue)
 
     scope.reset = (value) ->
       scope.savedValue = value
@@ -37,16 +38,13 @@ angular.module("admin.indexUtils").directive "objForUpdate", (switchClass, pendi
     # To ensure the customer is still updated, we check on the $destroy event to see if
     # the attribute has changed, if so we queue up the change.
     scope.$on '$destroy', (value) ->
-      # No update
-      return if scope.object()[scope.attr] is scope.savedValue
+      currentValue = scope.object()[scope.attr] || ""
 
-      # For some reason the code attribute is removed from the object when cleared, so we add
-      # an emptyvalue so it gets updated properly
-      if scope.attr is "code" and scope.object()[scope.attr] is undefined
-        scope.object()["code"] = ""
+      # No update
+      return if currentValue is scope.savedValue
 
       # Queuing up change
-      addPendingChange(scope.attr, scope.object()[scope.attr])
+      addPendingChange(scope.attr, currentValue)
 
     # private
 

app/assets/javascripts/admin/index_utils/services/pending_changes.js.coffee

@@ -16,7 +16,10 @@ angular.module("admin.indexUtils").factory "pendingChanges", ($q, resources, Sta
     remove: (id, attr) =>
       if @pendingChanges.hasOwnProperty("#{id}")
         delete @pendingChanges["#{id}"]["#{attr}"]
-        delete @pendingChanges["#{id}"] if @changeCount( @pendingChanges["#{id}"] ) < 1
+
+        if @changeCount( @pendingChanges["#{id}"] ) < 1
+          delete @pendingChanges["#{id}"]
+          StatusMessage.clear()
 
     submitAll: (form=null) =>
       all = []
@@ -47,5 +50,8 @@ angular.module("admin.indexUtils").factory "pendingChanges", ($q, resources, Sta
     unsavedCount: ->
       Object.keys(@pendingChanges).length
 
+    yes: ->
+      @unsavedCount() > 0
+
     changeCount: (objectChanges) ->
       Object.keys(objectChanges).length

app/assets/javascripts/admin/index_utils/services/switch_class.js.coffee

@@ -1,4 +1,4 @@
-angular.module("admin.indexUtils").factory "switchClass", ($timeout) ->
+angular.module("admin.indexUtils").factory "switchClass", ($timeout, StatusMessage) ->
   return (element, classToAdd, removeClasses, timeout) ->
     $timeout.cancel element.timeout if element.timeout
     element.removeClass className for className in removeClasses
@@ -7,4 +7,6 @@ angular.module("admin.indexUtils").factory "switchClass", ($timeout) ->
     if timeout && intRegex.test(timeout)
       element.timeout = $timeout(->
         element.removeClass classToAdd
+        StatusMessage.clear()
       , timeout, true)
+    element

app/assets/javascripts/darkswarm/directives/active_table_hub_link.js.coffee

@@ -1,6 +1,6 @@
 angular.module('Darkswarm').directive "activeTableHubLink", (CurrentHub, CurrentOrder) ->
   # Change the text of the hub link based on CurrentHub
-  # To be used with ofnEmptiesCart
+  # To be used with ofnChangeHub
   # Takes "change" and "shop" as text string attributes
   restrict: "A"
   scope:

app/assets/javascripts/templates/partials/producer_details.html.haml

@@ -12,7 +12,7 @@
     .row
       .columns.small-12
         %a.cta-hub{"ng-repeat" => "hub in enterprise.hubs | filter:{id: '!'+enterprise.id} | orderBy:'-active'",
-        "ng-href" => "{{::hub.path}}#/shop_panel", "ofn-empties-cart" => "hub",
+        "ng-href" => "{{::hub.path}}#/shop_panel",
         "ng-class" => "::{primary: hub.active, secondary: !hub.active}",
         "ng-click" => "$close()",
         "ofn-change-hub" => "hub"}

app/components/searchable_dropdown_component.rb

@@ -30,7 +30,7 @@ class SearchableDropdownComponent < ViewComponent::Base
               :aria_label, :other_attrs
 
   def classes
-    "fullwidth #{remove_search_plugin? ? 'no-input' : ''}"
+    "fullwidth #{'no-input' if remove_search_plugin?}"
   end
 
   def data

app/components/tag_list_input_component.rb

@@ -5,16 +5,19 @@ class TagListInputComponent < ViewComponent::Base
                  placeholder: I18n.t("components.tag_list_input.default_placeholder"),
                  only_one: false,
                  aria_label: nil,
-                 hidden_field_data_options: {})
+                 hidden_field_data_options: {},
+                 autocomplete_url: "")
     @name = name
     @tags = tags
     @placeholder = placeholder
     @only_one = only_one
     @aria_label_option = aria_label ? { 'aria-label': aria_label } : {}
     @hidden_field_data_options = hidden_field_data_options
+    @autocomplete_url = autocomplete_url
   end
 
-  attr_reader :name, :tags, :placeholder, :only_one, :aria_label_option, :hidden_field_data_options
+  attr_reader :name, :tags, :placeholder, :only_one, :aria_label_option,
+              :hidden_field_data_options, :autocomplete_url
 
   private
 

app/components/tag_list_input_component/tag_list_input_component.html.haml

@@ -1,4 +1,4 @@
-%div{ "data-controller": "tag-list-input", "data-tag-list-input-only-one-value": "#{only_one}" }
+%div{ "data-controller": "tag-list-input", "data-tag-list-input-only-one-value": "#{only_one}", "data-tag-list-input-url-value": autocomplete_url, "data-action": "autocomplete.change->tag-list-input#addTag" }
   .tags-input
     .tags
       - # We use display:none instead of hidden field, so changes to the value can be picked up by the bulkFormController 
@@ -16,4 +16,12 @@
               %span=tag
               %a.remove-button{ "data-action": "click->tag-list-input#removeTag" }
                 ×
-      = text_field_tag "variant_add_tag", nil, class: "input", placeholder: placeholder, "data-action": "keydown.enter->tag-list-input#addTag keyup->tag-list-input#filterInput blur->tag-list-input#addTag", "data-tag-list-input-target": "newTag", **aria_label_option, style: "display: #{display};"
+      = text_field_tag("variant_add_tag",
+        nil,
+        { class: "input",
+          placeholder: placeholder,
+          "data-action": "keydown.enter->tag-list-input#keyboardAddTag keyup->tag-list-input#filterInput blur->tag-list-input#onBlur focus->tag-list-input#onInputChange",
+          "data-tag-list-input-target": "input",
+          **aria_label_option,
+          style: "display: #{display};"})
+    %ul.suggestion-list{ "data-tag-list-input-target": "results" , hidden: true }

app/components/tag_list_input_component/tag_list_input_component.scss

@@ -67,4 +67,35 @@
       font-size: 14px;
     }
   }
+
+  ul.suggestion-list {
+    margin-top: 5px;
+    padding: 5px 0;
+    z-index: $tag-drop-down-z-index;
+    width: fit-content;
+    background-color: #fff;
+    border: 1px solid rgba(0, 0, 0, 0.2);
+    box-shadow: $shadow-dropdown;
+    list-style-type: none;
+    max-height: 280px;
+    overflow-y: auto;
+    position: relative;
+
+    li.suggestion-item {
+      padding: 5px 10px;
+      cursor: pointer;
+      white-space: nowrap;
+      overflow: hidden;
+      text-overflow: ellipsis;
+      color: #000;
+      background-color: #fff;
+      width: stretch;
+
+      &.active,
+      &:hover {
+        color: #fff;
+        background-color: $color-link-visited;
+      }
+    }
+  }
 }

app/components/tag_list_input_component/tag_list_input_controller.js

@@ -1,14 +1,23 @@
-import { Controller } from "stimulus";
+import { Autocomplete } from "stimulus-autocomplete";
 
-export default class extends Controller {
-  static targets = ["tagList", "newTag", "template", "list"];
+// Extend the stimulus-autocomplete controller, so we can load tag with existing rules
+// The autocomplete functionality is only loaded if the url value is set
+// For more informatioon on "stimulus-autocomplete", see:
+//    https://github.com/afcapel/stimulus-autocomplete/tree/main
+//
+export default class extends Autocomplete {
+  static targets = ["tagList", "input", "template", "list"];
   static values = { onlyOne: Boolean };
 
-  addTag(event) {
-    // prevent hotkey form submitting the form (default action for "enter" key)
-    event.preventDefault();
+  connect() {
+    // Don't start autocomplete controller if we don't have an url
+    if (this.urlValue.length == 0) return;
 
-    const newTagName = this.newTagTarget.value.trim().replaceAll(" ", "-");
+    super.connect();
+  }
+
+  addTag(event) {
+    const newTagName = this.inputTarget.value.trim().replaceAll(" ", "-");
     if (newTagName.length == 0) {
       return;
     }
@@ -18,7 +27,7 @@ export default class extends Controller {
     const index = tags.indexOf(newTagName);
     if (index != -1) {
       // highlight the value in red
-      this.newTagTarget.classList.add("tag-error");
+      this.inputTarget.classList.add("tag-error");
       return;
     }
 
@@ -38,14 +47,23 @@ export default class extends Controller {
     this.listTarget.appendChild(newTagElement);
 
     // Clear new tag value
-    this.newTagTarget.value = "";
+    this.inputTarget.value = "";
 
     // hide tag input if limited to one tag
     if (this.tagListTarget.value.split(",").length == 1 && this.onlyOneValue == true) {
-      this.newTagTarget.style.display = "none";
+      this.inputTarget.style.display = "none";
     }
   }
 
+  keyboardAddTag(event) {
+    // prevent hotkey form submitting the form (default action for "enter" key)
+    if (event) {
+      event.preventDefault();
+    }
+
+    this.addTag();
+  }
+
   removeTag(event) {
     // Text to remove
     const tagName = event.srcElement.previousElementSibling.textContent;
@@ -62,14 +80,14 @@ export default class extends Controller {
 
     // Make sure the tag input is displayed
     if (this.tagListTarget.value.length == 0) {
-      this.newTagTarget.style.display = "block";
+      this.inputTarget.style.display = "block";
     }
   }
 
   filterInput(event) {
     // clear error class if key is not enter
     if (event.key !== "Enter") {
-      this.newTagTarget.classList.remove("tag-error");
+      this.inputTarget.classList.remove("tag-error");
     }
 
     // Strip comma from tag name
@@ -77,4 +95,53 @@ export default class extends Controller {
       event.srcElement.value = event.srcElement.value.replace(",", "");
     }
   }
+
+  // Add tag if we don't have an autocomplete list open
+  onBlur() {
+    // check if we have any autocomplete results
+    if (this.resultsTarget.childElementCount == 0) this.addTag();
+  }
+
+  // Override original to add tag filtering
+  replaceResults(html) {
+    const filteredHtml = this.#filterResults(html);
+
+    // Don't show result if we don't have anything to show
+    if (filteredHtml.length == 0) return;
+
+    super.replaceResults(filteredHtml);
+  }
+
+  // Override original to all empty query, which will return all existing tags
+  onInputChange = () => {
+    if (this.urlValue.length == 0) return;
+
+    if (this.hasHiddenTarget) this.hiddenTarget.value = "";
+
+    const query = this.inputTarget.value.trim();
+    if (query.length >= this.minLengthValue) {
+      this.fetchResults(query);
+    } else {
+      this.hideAndRemoveOptions();
+    }
+  };
+
+  //private
+
+  #filterResults(html) {
+    const existingTags = this.tagListTarget.value.split(",");
+    // Parse the HTML
+    const parser = new DOMParser();
+    const doc = parser.parseFromString(html, "text/html");
+    const lis = doc.getElementsByTagName("li");
+    // Filter
+    let filteredHtml = "";
+    for (let li of lis) {
+      if (!existingTags.includes(li.dataset.autocompleteValue)) {
+        filteredHtml += li.outerHTML;
+      }
+    }
+
+    return filteredHtml;
+  }
 }

app/components/tag_rule_form_component.rb

@@ -47,6 +47,13 @@ class TagRuleFormComponent < ViewComponent::Base
         taggable: "variant",
         visibility_field: "preferred_matched_variants_visibility",
       }
+    when "TagRule::FilterVariants"
+      {
+        text_top: t('components.tag_rule_form.tag_rules.variant_tagged_top'),
+        text_bottom: t('components.tag_rule_form.tag_rules.variant_tagged_bottom'),
+        taggable: "variant",
+        visibility_field: "preferred_matched_variants_visibility",
+      }
     end
   end
 

app/components/webhook_endpoint_form_component.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class WebhookEndpointFormComponent < ViewComponent::Base
+  def initialize(webhooks:, webhook_type:)
+    @webhooks = webhooks
+    @webhook_type = webhook_type
+  end
+
+  private
+
+  attr_reader :webhooks, :webhook_type
+
+  def is_webhook_payment_status?
+    webhook_type == "payment_status_changed"
+  end
+end

app/components/webhook_endpoint_form_component/webhook_endpoint_form_component.html.haml

@@ -0,0 +1,27 @@
+-# Create new endpoints
+- if webhooks.empty? # Only one allowed for now.
+  %tr
+    %td= t("components.webhook_endpoint_form.event_types.#{webhook_type}")
+    %td
+      = form_with(url: helpers.account_webhook_endpoints_path, id: "#{webhook_type}_webhook_endpoint") do |f|
+        = f.url_field :'webhook_endpoint[url]', id: "#{webhook_type}_webhook_endpoint_url", placeholder: t('components.webhook_endpoint_form.url.create_placeholder'), required: true, size: 64
+        = f.hidden_field :'webhook_endpoint[webhook_type]', id: "#{webhook_type}_webhook_endpoint_webhook_type", value: webhook_type
+    %td.actions
+      = button_tag t(:create), class: 'button primary tiny no-margin', form: "#{webhook_type}_webhook_endpoint"
+
+-# Existing endpoints
+- webhooks.each do |webhook_endpoint|
+  %tr
+    %td= t("components.webhook_endpoint_form.event_types.#{webhook_type}")
+    %td= webhook_endpoint.url
+    %td.actions.endpoints-actions
+      - if webhook_endpoint.persisted?
+        = button_to helpers.account_webhook_endpoint_path(webhook_endpoint), method: :delete,
+                                                                             class: "tiny alert no-margin",
+                                                                             data: { confirm: I18n.t(:are_you_sure) } do
+          = I18n.t(:delete)
+
+        - if is_webhook_payment_status?
+          = form_tag helpers.webhook_endpoint_test_account_path(webhook_endpoint), class: "button_to", 'data-turbo': true do
+            = button_tag type: "submit", class: "tiny alert no-margin", data: { confirm: I18n.t(:are_you_sure) } do
+              = I18n.t("components.webhook_endpoint_form.test_endpoint")

app/controllers/admin/bulk_line_items_controller.rb

@@ -3,6 +3,7 @@
 module Admin
   class BulkLineItemsController < Spree::Admin::BaseController
     include PaginationData
+
     # GET /admin/bulk_line_items.json
     #
     def index

app/controllers/admin/customers_controller.rb

@@ -51,6 +51,18 @@ module Admin
       end
     end
 
+    # copy of Admin::ResourceController without flash notice
+    def update
+      if @object.update(permitted_resource_params)
+        respond_with(@object) do |format|
+          format.html { redirect_to location_after_save }
+          format.js   { render layout: false }
+        end
+      else
+        respond_with(@object)
+      end
+    end
+
     # copy of Admin::ResourceController without flash notice
     def destroy
       if @object.destroy

app/controllers/admin/dfc_product_imports_controller.rb

@@ -15,8 +15,8 @@ module Admin
     def index
       # Fetch DFC catalog JSON for preview
       @catalog_url = params.require(:catalog_url).strip
-      @catalog_json = api.call(@catalog_url)
-      catalog = DfcCatalog.from_json(@catalog_json)
+      @catalog_data = api.call(@catalog_url)
+      catalog = DfcCatalog.from_json(@catalog_data)
 
       # Render table and let user decide which ones to import.
       @items = list_products(catalog)

app/controllers/admin/enterprises_controller.rb

@@ -51,6 +51,7 @@ module Admin
 
       load_tag_rule_types
 
+      load_tag_rules
       return unless params[:stimulus]
 
       @enterprise.is_primary_producer = params[:is_primary_producer]
@@ -84,6 +85,7 @@ module Admin
         end
       else
         load_tag_rule_types
+        load_tag_rules
         respond_with(@object) do |format|
           format.json {
             render json: { errors: @object.errors.messages }, status: :unprocessable_entity
@@ -160,6 +162,18 @@ module Admin
       end
     end
 
+    def destroy
+      if @object.destroy
+        flash.now[:success] = flash_message_for(@object, :successfully_removed)
+      else
+        flash.now[:error] = @object.errors.full_messages.to_sentence
+      end
+
+      respond_to do |format|
+        format.turbo_stream { render :destroy, status: :ok }
+      end
+    end
+
     protected
 
     def delete_custom_tab
@@ -398,9 +412,26 @@ module Admin
         [t(".form.tag_rules.show_hide_order_cycles"), "FilterOrderCycles"]
       ]
 
-      return unless helpers.feature?(:inventory, @object)
+      if helpers.feature?(:variant_tag, @object)
+        @tag_rule_types.prepend([t(".form.tag_rules.show_hide_variants"), "FilterVariants"])
+      elsif helpers.feature?(:inventory, @object)
+        @tag_rule_types.prepend([t(".form.tag_rules.show_hide_variants"), "FilterProducts"])
+      end
+    end
 
-      @tag_rule_types.prepend([t(".form.tag_rules.show_hide_variants"), "FilterProducts"])
+    def load_tag_rules
+      if helpers.feature?(:variant_tag, @object)
+        @default_rules = @enterprise.tag_rules.exclude_inventory.select(&:is_default)
+        @rules = @enterprise.tag_rules.exclude_inventory.prioritised.reject(&:is_default)
+      elsif helpers.feature?(:inventory, @object)
+        @default_rules = @enterprise.tag_rules.exclude_variant.select(&:is_default)
+        @rules = @enterprise.tag_rules.exclude_variant.prioritised.reject(&:is_default)
+      else
+        @default_rules =
+          @enterprise.tag_rules.exclude_inventory.exclude_variant.select(&:is_default)
+        @rules =
+          @enterprise.tag_rules.exclude_inventory.exclude_variant.prioritised.reject(&:is_default)
+      end
     end
 
     def setup_property

app/controllers/admin/product_import_controller.rb

@@ -49,7 +49,7 @@ module Admin
         errors: @importer.errors.full_messages
       }
 
-      if helpers.feature?(:inventory, *spree_current_user.enterprises)
+      if helpers.inventory_enabled?(spree_current_user.enterprises)
         json[:results][:inventory_created] = @importer.inventory_created_count
         json[:results][:inventory_updated] = @importer.inventory_updated_count
       end
@@ -175,7 +175,7 @@ module Admin
 
     # Return an error if trying to import into inventories when inventory is disable
     def can_import_into_inventories?
-      return true if helpers.feature?(:inventory, *spree_current_user.enterprises) ||
+      return true if helpers.inventory_enabled?(spree_current_user.enterprises) ||
                      params.dig(:settings, "import_into") != 'inventories'
 
       redirect_to admin_product_import_url, notice: I18n.t(:product_import_inventory_disable)

app/controllers/admin/products_v3_controller.rb

@@ -11,7 +11,8 @@ module Admin
     def index
       fetch_products
       render "index",
-             locals: { producers:, categories:, tax_category_options:, available_tags:, flash: }
+             locals: { producer_options:, categories:, tax_category_options:, available_tags:,
+                       flash:, allowed_producers: }
 
       session[:products_return_to_url] = request.url
     end
@@ -32,7 +33,8 @@ module Admin
 
         render "index", status: :unprocessable_entity,
                         locals: {
-                          producers:, categories:, tax_category_options:, available_tags:, flash:
+                          producer_options:, categories:, tax_category_options:, available_tags:,
+                          allowed_producers:, flash:
                         }
       end
     end
@@ -78,27 +80,29 @@ module Admin
     end
 
     def clone
-      @product = Spree::Product.find(params[:id])
-      authorize! :clone, @product
+      product = Spree::Product.find(params[:id])
+      authorize! :clone, product
 
       status = :ok
 
       begin
-        @cloned_product = @product.duplicate
+        cloned_product = product.duplicate
         flash.now[:success] = t('.success')
 
-        @product_index = "-#{@cloned_product.id}"
-        @producer_options = producers
-        @category_options = categories
-        @tax_category_options = tax_category_options
+        product_index = "-#{cloned_product.id}"
       rescue ActiveRecord::ActiveRecordError => e
         flash.now[:error] = clone_error_message(e)
         status = :unprocessable_entity
-        @product_index = "-1" # Create a unique enough index
+        product_index = "-1" # Create a unique enough index
       end
 
       respond_with do |format|
-        format.turbo_stream { render :clone, status: }
+        format.turbo_stream {
+          render :clone, status:,
+                         locals: { product:, cloned_product:, product_index:, producer_options:,
+                                   category_options: categories, tax_category_options:,
+                                   allowed_producers: }
+        }
       end
     end
 
@@ -124,18 +128,31 @@ module Admin
       @per_page = params[:per_page].presence || 15
       @q = params.permit(q: {})[:q] || { s: 'name asc' }
 
-      # Transform on_hand sorting to include backorderable_priority (on-demand) for proper ordering
+      # Transform on_hand sorting to properly handle On-Demand products:
+      #   - On-Demand products should ignore on_hand completely and sort alphabetically.
+      #   - Non-On-Demand products should continue sorting by on_hand as usual.
       if @q[:s] == 'on_hand asc'
-        @q[:s] = ['backorderable_priority asc', @q[:s]]
+        @q[:s] = [
+          'backorderable_priority asc',
+          'backorderable_name asc',
+          @q[:s]
+        ]
       elsif @q[:s] == 'on_hand desc'
-        @q[:s] = ['backorderable_priority desc', @q[:s]]
+        @q[:s] = [
+          'backorderable_priority desc',
+          'backorderable_name asc',
+          @q[:s]
+        ]
       end
     end
 
-    def producers
-      producers = OpenFoodNetwork::Permissions.new(spree_current_user)
+    def allowed_producers
+      OpenFoodNetwork::Permissions.new(spree_current_user)
         .managed_product_enterprises.is_primary_producer.by_name
-      producers.map { |p| [p.name, p.id] }
+    end
+
+    def producer_options
+      allowed_producers.map { |p| [p.name, p.id] }
     end
 
     def categories
@@ -173,6 +190,7 @@ module Admin
         product_query = product_query.select(
           Arel.sql('spree_products.*'),
           Spree::Product.backorderable_priority_sql,
+          Spree::Product.backorderable_name_sql,
           Spree::Product.on_hand_sql
         )
       end

app/controllers/admin/reports_controller.rb

@@ -4,6 +4,7 @@ module Admin
   class ReportsController < Spree::Admin::BaseController
     include ActiveStorage::SetCurrent
     include ReportsActions
+
     helper ReportsHelper
 
     before_action :authorize_report, only: [:show, :create]

app/controllers/admin/resource_controller.rb

@@ -61,7 +61,7 @@ module Admin
 
     def destroy
       if @object.destroy
-        flash[:success] = flash_message_for(@object, :successfully_removed)
+        flash[:success] = Spree.t(:successfully_removed)
         respond_with(@object) do |format|
           format.html { redirect_to collection_url }
           format.js   { render partial: "spree/admin/shared/destroy" }
@@ -76,7 +76,7 @@ module Admin
     protected
 
     def resource_not_found
-      flash[:error] = flash_message_for(model_class.new, :not_found)
+      flash[:error] = Spree.t(:not_found)
       redirect_to collection_url
     end
 

app/controllers/admin/stripe_accounts_controller.rb

@@ -6,7 +6,7 @@ module Admin
   class StripeAccountsController < Spree::Admin::BaseController
     def connect
       payload = params.permit(:enterprise_id).to_h
-      key = Openfoodnetwork::Application.config.secret_token
+      key = Rails.application.secret_key_base
       url_params = { state: JWT.encode(payload, key, 'HS256'), scope: "read_write" }
       redirect_to Stripe::OAuth.authorize_url(url_params)
     end

app/controllers/admin/tag_rules_controller.rb

@@ -30,7 +30,7 @@ module Admin
 
       status = :ok
       if @rule.destroy
-        flash[:success] = Spree.t(:successfully_removed, resource: "Tag Rule")
+        flash[:success] = Spree.t(:successfully_removed, resource: Spree.t(:tag_rule))
       else
         flash.now[:error] = t(".destroy_error")
         status = :internal_server_error
@@ -41,6 +41,7 @@ module Admin
       end
     end
 
+    # Used by the tag input autocomplete
     def map_by_tag
       respond_to do |format|
         format.json do
@@ -50,6 +51,26 @@ module Admin
       end
     end
 
+    # Use to populate autocomplete with available rule for the given tag/enterprise
+    def variant_tag_rules
+      tag_rules =
+        TagRule.matching_variant_tag_rules_by_enterprises(params[:enterprise_id], params[:q])
+
+      @formatted_tag_rules = tag_rules.each_with_object({}) do |rule, mapping|
+        rule.preferred_variant_tags.split(",").each do |tag|
+          if mapping[tag]
+            mapping[tag][:rules] += 1
+          else
+            mapping[tag] = { tag:, rules: 1 }
+          end
+        end
+      end.values
+
+      respond_with do |format|
+        format.html { render :variant_tag_rules, layout: false }
+      end
+    end
+
     private
 
     def collection_actions
@@ -78,7 +99,7 @@ module Admin
     end
 
     def permitted_tag_rule_type
-      %w{FilterOrderCycles FilterPaymentMethods FilterProducts FilterShippingMethods}
+      %w{FilterOrderCycles FilterPaymentMethods FilterProducts FilterShippingMethods FilterVariants}
     end
   end
 end

app/controllers/admin/variant_overrides_controller.rb

@@ -44,6 +44,8 @@ module Admin
     def load_data
       @hubs = OpenFoodNetwork::Permissions.new(spree_current_user).
         variant_override_hubs.by_name
+      # Only display the ones with inventory enabled
+      @hubs = @hubs.select { |p| helpers.feature?(:inventory, p) }
 
       # Used in JS to look up the name of the producer of each product
       @producers = OpenFoodNetwork::Permissions.new(spree_current_user).

app/controllers/admin/vouchers_controller.rb

@@ -14,7 +14,7 @@ module Admin
       )
 
       if @voucher.save
-        flash[:success] = I18n.t(:successfully_created, resource: "Voucher")
+        flash[:success] = I18n.t(:successfully_created, resource: Spree.t(:voucher))
         redirect_to edit_admin_enterprise_path(@enterprise, anchor: :vouchers_panel)
       else
         render_error

app/controllers/api/v0/enterprises_controller.rb

@@ -43,7 +43,7 @@ module Api
         @enterprise = Enterprise.find_by(permalink: params[:id]) || Enterprise.find(params[:id])
         authorize! :update, @enterprise
 
-        if params[:logo] && @enterprise.update( logo: params[:logo] )
+        if params[:logo] && @enterprise.update!(logo: params[:logo])
           render(html: @enterprise.logo_url(:medium), status: :ok)
         elsif params[:promo] && @enterprise.update!( promo_image: params[:promo] )
           render(html: @enterprise.promo_image_url(:medium), status: :ok)

app/controllers/api/v0/exchange_products_controller.rb

@@ -7,6 +7,7 @@ module Api
   module V0
     class ExchangeProductsController < Api::V0::BaseController
       include PaginationData
+
       DEFAULT_PER_PAGE = 100
 
       skip_authorization_check only: [:index]

app/controllers/api/v0/order_cycles_controller.rb

@@ -23,7 +23,8 @@ module Api
           order_cycle,
           customer,
           search_params,
-          inventory_enabled:
+          inventory_enabled:,
+          variant_tag_enabled:
         ).products_json
 
         render plain: products
@@ -96,13 +97,17 @@ module Api
 
       def distributed_products
         OrderCycles::DistributedProductsService.new(
-          distributor, order_cycle, customer, inventory_enabled:
+          distributor, order_cycle, customer, inventory_enabled:, variant_tag_enabled:,
         ).products_relation.pluck(:id)
       end
 
       def inventory_enabled
         OpenFoodNetwork::FeatureToggle.enabled?(:inventory, distributor)
       end
+
+      def variant_tag_enabled
+        OpenFoodNetwork::FeatureToggle.enabled?(:variant_tag, distributor)
+      end
     end
   end
 end

app/controllers/api/v0/products_controller.rb

@@ -7,6 +7,7 @@ module Api
   module V0
     class ProductsController < Api::V0::BaseController
       include PaginationData
+
       respond_to :json
       DEFAULT_PER_PAGE = 15
 

app/controllers/api/v1/customers_controller.rb

@@ -8,6 +8,10 @@ module Api
       include AddressTransformation
       include ExtraFields
 
+      wrap_parameters :customer, include:
+        Customer.attribute_names +
+        [:billing_address, :shipping_address]
+
       skip_authorization_check only: :index
 
       before_action :authorize_action, only: [:show, :update, :destroy]
@@ -88,7 +92,8 @@ module Api
         attributes = params.require(:customer).permit(
           :email, :enterprise_id,
           :code, :first_name, :last_name,
-          :billing_address, shipping_address: [
+          :billing_address,
+          shipping_address: [
             :phone, :latitude, :longitude,
             :first_name, :last_name,
             :street_address_1, :street_address_2,

app/controllers/concerns/manager_invitations.rb

@@ -4,7 +4,7 @@ module ManagerInvitations
   extend ActiveSupport::Concern
 
   def create_new_manager(email, enterprise)
-    password = Devise.friendly_token
+    password = SecureRandom.base58(64)
     new_user = Spree::User.create(email:, unconfirmed_email: email, password:)
     new_user.reset_password_token = Devise.friendly_token
     # Same time as used in Devise's lib/devise/models/recoverable.rb.

app/controllers/concerns/order_stock_check.rb

@@ -20,25 +20,43 @@ module OrderStockCheck
     @updated_variants = check_stock_service.update_line_items
   end
 
-  def check_order_cycle_expiry
+  def check_order_cycle_expiry(should_empty_order: true)
     return unless current_order_cycle&.closed?
 
     Alert.raise_with_record("Notice: order cycle closed during checkout completion", current_order)
-    current_order.empty!
-    current_order.assign_order_cycle! nil
 
-    flash[:info] = I18n.t('order_cycle_closed')
-    respond_to do |format|
-      format.cable_ready {
-        render status: :see_other, cable_ready: cable_car.redirect_to(url: main_app.shop_path)
-      }
-      format.json { render json: { path: main_app.shop_path }, status: :see_other }
-      format.html { redirect_to main_app.shop_path, status: :see_other }
-    end
+    handle_closed_order_cycle if should_empty_order
+
+    flash[:info] = build_order_cycle_message(should_empty_order)
+    redirect_to_shop_page(should_empty_order)
   end
 
   private
 
+  def handle_closed_order_cycle
+    current_order.empty!
+    current_order.assign_order_cycle!(nil)
+  end
+
+  def build_order_cycle_message(should_empty_order)
+    # If order is not emptied, we assume user will contact support for next steps
+    key = should_empty_order ? 'order_cycle_closed' : 'order_cycle_closed_next_steps'
+    I18n.t(key, order_number: current_order.number)
+  end
+
+  def redirect_to_shop_page(should_empty_order)
+    # If order is not emptied, redirect to shops page because shop page empties the order by default
+    redirect_url = should_empty_order ? main_app.shop_path : main_app.shops_path
+
+    respond_to do |format|
+      format.cable_ready {
+        render status: :see_other, cable_ready: cable_car.redirect_to(url: redirect_url)
+      }
+      format.json { render json: { path: redirect_url }, status: :see_other }
+      format.html { redirect_to redirect_url, status: :see_other }
+    end
+  end
+
   def check_stock_service
     @check_stock_service ||= Orders::CheckStockService.new(order: @order)
   end

app/controllers/payment_gateways/paypal_controller.rb

@@ -8,7 +8,9 @@ module PaymentGateways
     before_action :destroy_orphaned_paypal_payments, only: :confirm
     before_action :load_checkout_order, only: [:express, :confirm]
     before_action :handle_insufficient_stock, only: [:express, :confirm]
-    before_action :check_order_cycle_expiry, only: [:express, :confirm]
+    before_action -> { check_order_cycle_expiry(should_empty_order: false) }, only: [
+      :express, :confirm
+    ]
     before_action :permit_parameters!
 
     after_action :reset_order_when_complete, only: :confirm

app/controllers/payment_gateways/stripe_controller.rb

@@ -7,7 +7,7 @@ module PaymentGateways
 
     before_action :load_checkout_order, only: :confirm
     before_action :validate_payment_intent, only: :confirm
-    before_action :check_order_cycle_expiry, only: :confirm
+    before_action -> { check_order_cycle_expiry(should_empty_order: false) }, only: :confirm
 
     def confirm
       validate_stock

app/controllers/spree/admin/images_controller.rb

@@ -68,7 +68,7 @@ module Spree
         destroy_before
 
         if @object.destroy
-          flash[:success] = flash_message_for(@object, :successfully_removed)
+          flash[:success] = Spree.t(:successfully_removed)
         end
 
         redirect_to location_after_save

app/controllers/spree/admin/orders_controller.rb

@@ -6,6 +6,7 @@ module Spree
   module Admin
     class OrdersController < Spree::Admin::BaseController
       include OpenFoodNetwork::SpreeApiKeyLoader
+
       helper CheckoutHelper
 
       before_action :load_order, only: [:edit, :update, :fire, :resend, :invoice, :print]

app/controllers/spree/admin/payment_methods_controller.rb

@@ -10,6 +10,12 @@ module Spree
 
       respond_to :html
 
+      PAYMENT_METHODS = %w{
+        Spree::PaymentMethod::Check
+        Spree::Gateway::PayPalExpress
+        Spree::Gateway::StripeSCA
+      }.index_with(&:constantize).freeze
+
       def create
         force_environment
 
@@ -89,8 +95,9 @@ module Spree
             @payment_method = PaymentMethod.find(params[:pm_id])
           end
         else
-          @payment_method = params[:provider_type].constantize.new
+          @payment_method = PAYMENT_METHODS.fetch(params[:provider_type], PaymentMethod).new
         end
+
         render partial: 'provider_settings'
       end
 

app/controllers/spree/admin/product_properties_controller.rb

@@ -16,7 +16,7 @@ module Spree
         @url_filters = ::ProductFilters.new.extract(request.query_parameters)
 
         if @object.destroy
-          flash[:success] = flash_message_for(@object, :successfully_removed)
+          flash[:success] = Spree.t(:successfully_removed)
         end
         # if destroy fails it won't show any errors to the user
         redirect_to spree.admin_product_product_properties_url(params[:product_id], @url_filters)

app/controllers/spree/admin/products_controller.rb

@@ -10,6 +10,7 @@ module Spree
       include OpenFoodNetwork::SpreeApiKeyLoader
       include OrderCyclesHelper
       include EnterprisesHelper
+
       helper ::Admin::ProductsHelper
       helper Spree::Admin::TaxCategoriesHelper
 

app/controllers/spree/admin/shipping_methods_controller.rb

@@ -36,7 +36,7 @@ module Spree
         end
 
         @object.touch :deleted_at
-        flash[:success] = flash_message_for(@object, :successfully_removed)
+        flash[:success] = Spree.t(:successfully_removed)
 
         respond_with(@object) do |format|
           format.html { redirect_to collection_url }

app/controllers/spree/admin/tax_categories_controller.rb

@@ -5,7 +5,7 @@ module Spree
     class TaxCategoriesController < ::Admin::ResourceController
       def destroy
         if @object.destroy
-          flash[:success] = flash_message_for(@object, :successfully_removed)
+          flash[:success] = Spree.t(:successfully_removed)
           respond_with(@object) do |format|
             format.html { redirect_to collection_url }
             format.js   { render partial: "spree/admin/shared/destroy" }

app/controllers/spree/user_passwords_controller.rb

@@ -14,6 +14,7 @@ module Spree
     include Spree::Core::ControllerHelpers::Order
 
     include I18nHelper
+
     before_action :set_locale
 
     # Devise::PasswordsController allows for blank passwords.

app/controllers/webhook_endpoints_controller.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class WebhookEndpointsController < BaseController
-  before_action :load_resource, only: :destroy
+  before_action :load_resource, only: [:destroy, :test]
 
   def create
     webhook_endpoint = spree_current_user.webhook_endpoints.new(webhook_endpoint_params)
@@ -25,12 +25,30 @@ class WebhookEndpointsController < BaseController
     redirect_to redirect_path
   end
 
+  def test
+    at = Time.zone.now
+    test_payload = Payments::WebhookPayload.test_data.to_hash
+
+    WebhookDeliveryJob.perform_later(@webhook_endpoint.url, "payment.completed", test_payload, at:)
+
+    flash[:success] = t(".success")
+    respond_with do |format|
+      format.turbo_stream do
+        render turbo_stream: turbo_stream.update(
+          :flashes, partial: "shared/flashes", locals: { flashes: flash }
+        )
+      end
+    end
+  end
+
+  private
+
   def load_resource
     @webhook_endpoint = spree_current_user.webhook_endpoints.find(params[:id])
   end
 
   def webhook_endpoint_params
-    params.require(:webhook_endpoint).permit(:url)
+    params.require(:webhook_endpoint).permit(:url, :webhook_type)
   end
 
   def redirect_path

app/forms/schedule_form.rb

@@ -36,9 +36,7 @@ class ScheduleForm
     false unless @schedule.update(permitted_resource_params)
   end
 
-  def order_cycle_ids
-    @schedule.order_cycle_ids
-  end
+  delegate :order_cycle_ids, to: :@schedule
 
   private
 

app/helpers/admin/products_helper.rb

@@ -41,5 +41,11 @@ module Admin
     def hide_producer_column?(producer_options)
       spree_current_user.column_preferences.bulk_edit_product.empty? && producer_options.one?
     end
+
+    # check if the user is in the "admins" group or if it's enabled for any of
+    # the enterprises the user manages
+    def variant_tag_enabled?(user)
+      feature?(:variant_tag, user) || feature?(:variant_tag, *user.enterprises)
+    end
   end
 end

app/helpers/application_helper.rb

@@ -52,9 +52,9 @@ module ApplicationHelper
 
   # Pass URL helper calls on to spree where applicable so that we don't need to use
   # spree.foo_path in any view rendered from non-spree-namespaced controllers.
-  def method_missing(method, *args, &)
+  def method_missing(method, *, &)
     if method.to_s.end_with?('_path', '_url') && spree.respond_to?(method)
-      spree.public_send(method, *args)
+      spree.public_send(method, *)
     else
       super
     end

app/helpers/enterprises_helper.rb

@@ -63,8 +63,11 @@ module EnterprisesHelper
     url = object_url(enterprise)
     name = t(:delete)
     options = {}
-    options[:class] = "delete-resource"
-    options[:data] = { action: 'remove', confirm: enterprise_confirm_delete_message(enterprise) }
+    options[:data] = {
+      turbo: true,
+      'turbo-method': 'delete',
+      'turbo-confirm': enterprise_confirm_delete_message(enterprise)
+    }
     link_to_with_icon 'icon-trash', name, url, options
   end
 

app/helpers/injection_helper.rb

@@ -120,7 +120,7 @@ module InjectionHelper
 
   def inject_enterprise_attributes(enterprise_attributes)
     render partial: "json/injection_ams",
-           locals: { name: 'enterpriseAttributes', json: enterprise_attributes.to_json.to_s }
+           locals: { name: 'enterpriseAttributes', json: enterprise_attributes.to_json }
   end
 
   def inject_saved_credit_cards

app/helpers/reports_helper.rb

@@ -44,9 +44,7 @@ module ReportsHelper
       .pluck(:name, :id)
   end
 
-  def currency_symbol
-    Spree::Money.currency_symbol
-  end
+  delegate :currency_symbol, to: :'Spree::Money'
 
   def enterprise_fee_owner_ids(orders)
     EnterpriseFee.where(id: enterprise_fee_ids(orders))

app/helpers/spree/admin/base_helper.rb

@@ -147,6 +147,10 @@ module Spree
         dom_id(record, 'spree')
       end
 
+      def inventory_enabled?(enterprises)
+        !feature?(:variant_tag, *enterprises) && feature?(:inventory, *enterprises)
+      end
+
       private
 
       def attribute_name_for(field_name)

app/helpers/spree/admin/orders_helper.rb

@@ -120,7 +120,7 @@ module Spree
       end
 
       def cancel_event_link(order)
-        event_label = I18n.t("cancel", scope: "actions")
+        event_label = I18n.t("cancel_order", scope: "actions")
         button_link_to(event_label,
                        fire_admin_order_url(order, e: "cancel"),
                        method: :put, icon: "icon-cancel", form_id: "cancel_order_form")

app/helpers/terms_and_conditions_helper.rb

@@ -10,9 +10,7 @@ module TermsAndConditionsHelper
     TermsOfService.required?(distributor)
   end
 
-  def platform_terms_required?
-    TermsOfService.platform_terms_required?
-  end
+  delegate :platform_terms_required?, to: :TermsOfService
 
   def distributor_terms_required?
     TermsOfService.distributor_terms_required?(current_order.distributor)

app/jobs/bulk_invoice_job.rb

@@ -2,6 +2,7 @@
 
 class BulkInvoiceJob < ApplicationJob
   include CableReady::Broadcaster
+
   delegate :render, to: ActionController::Base
   attr_reader :options
 

app/jobs/report_job.rb

@@ -3,6 +3,7 @@
 # Renders a report and stores it in a given blob.
 class ReportJob < ApplicationJob
   include CableReady::Broadcaster
+
   delegate :render, to: ActionController::Base
 
   before_perform :enable_active_storage_urls

app/models/application_record.rb

@@ -12,7 +12,10 @@ class ApplicationRecord < ActiveRecord::Base
   self.include_root_in_json = true
 
   def self.image_service
-    ENV["S3_BUCKET"].present? ? :amazon_public : :local
+    return :local if ENV["S3_BUCKET"].blank?
+    return :amazon_public if ENV["S3_ENDPOINT"].blank?
+
+    :s3_compatible_storage_public
   end
 
   # We might have a development environment without S3 but with a database
@@ -29,7 +32,7 @@ class ApplicationRecord < ActiveRecord::Base
     end
   end
 
-  def url_for(*args)
-    Rails.application.routes.url_helpers.url_for(*args)
+  def url_for(*)
+    Rails.application.routes.url_helpers.url_for(*)
   end
 end

app/models/concerns/calculated_adjustments.rb

@@ -5,6 +5,18 @@ require "active_support/concern"
 module CalculatedAdjustments
   extend ActiveSupport::Concern
 
+  CALCULATORS = %w{
+    Calculator::DefaultTax
+    Calculator::FlatPercentItemTotal
+    Calculator::FlatPercentPerItem
+    Calculator::FlatRate
+    Calculator::FlexiRate
+    Calculator::None
+    Calculator::PerItem
+    Calculator::PriceSack
+    Calculator::Weight
+  }.freeze
+
   included do
     has_one :calculator, as: :calculable, class_name: "Spree::Calculator", dependent: :destroy
     accepts_nested_attributes_for :calculator
@@ -32,7 +44,11 @@ module CalculatedAdjustments
   end
 
   def calculator_type=(calculator_type)
-    klass = calculator_type.constantize if calculator_type
+    return unless calculator_type
+
+    return unless CALCULATORS.include?(calculator_type)
+
+    klass = calculator_type.constantize
     self.calculator = klass.new if klass && !calculator.is_a?(klass)
   end
 

app/models/concerns/log_destroy_performer.rb

@@ -4,6 +4,7 @@ require 'active_support/concern'
 
 module LogDestroyPerformer
   extend ActiveSupport::Concern
+
   included do
     attr_accessor :destroyed_by
 

app/models/concerns/product_sort_by_stocks.rb

@@ -3,7 +3,7 @@
 module ProductSortByStocks
   extend ActiveSupport::Concern
 
-  included do
+  included do # rubocop:disable Metrics/BlockLength
     @on_hand_sql = Arel.sql("(
       SELECT COALESCE(SUM(si.count_on_hand), 0)
       FROM spree_variants v
@@ -20,8 +20,18 @@ module ProductSortByStocks
       GROUP BY v.product_id
     )")
 
+    # When a product is On-Demand (backorderable = true), return the product name.
+    # This allows alphabetical ordering inside the On-Demand group.
+    # For non-On-Demand products, return NULL so normal on_hand sorting still applies.
+    @backorderable_name_sql = Arel.sql("
+      CASE
+        WHEN (#{@backorderable_priority_sql}) THEN spree_products.name
+        ELSE NULL
+      END
+    ")
+
     class << self
-      attr_reader :on_hand_sql, :backorderable_priority_sql
+      attr_reader :on_hand_sql, :backorderable_priority_sql, :backorderable_name_sql
     end
 
     ransacker :on_hand do
@@ -31,5 +41,9 @@ module ProductSortByStocks
     ransacker :backorderable_priority do
       @backorderable_priority_sql
     end
+
+    ransacker :backorderable_name do
+      @backorderable_name_sql
+    end
   end
 end

app/models/customer.rb

@@ -25,11 +25,13 @@ class Customer < ApplicationRecord
   before_destroy :update_orders_and_delete_canceled_subscriptions
 
   belongs_to :bill_address, class_name: "Spree::Address", optional: true
-  alias_attribute :billing_address, :bill_address
+  alias_method :billing_address, :bill_address
+  alias_method :billing_address=, :bill_address=
   accepts_nested_attributes_for :bill_address
 
   belongs_to :ship_address, class_name: "Spree::Address", optional: true
-  alias_attribute :shipping_address, :ship_address
+  alias_method :shipping_address, :ship_address
+  alias_method :shipping_address=, :ship_address=
   accepts_nested_attributes_for :ship_address
 
   validates :code, uniqueness: { scope: :enterprise_id, allow_nil: true }

app/models/enterprise.rb

@@ -50,11 +50,11 @@ class Enterprise < ApplicationRecord
   has_many :distributed_orders, class_name: 'Spree::Order',
                                 foreign_key: 'distributor_id',
                                 inverse_of: :distributor,
-                                dependent: :restrict_with_exception
+                                dependent: :restrict_with_error
 
   belongs_to :address, class_name: 'Spree::Address'
   belongs_to :business_address, optional: true, class_name: 'Spree::Address', dependent: :destroy
-  has_many :enterprise_fees, dependent: :restrict_with_exception
+  has_many :enterprise_fees, dependent: :restrict_with_error
   has_many :enterprise_roles, dependent: :destroy
   has_many :users, through: :enterprise_roles
   belongs_to :owner, class_name: 'Spree::User',
@@ -62,21 +62,22 @@ class Enterprise < ApplicationRecord
   has_many :distributor_payment_methods,
            inverse_of: :distributor,
            foreign_key: :distributor_id,
-           dependent: :restrict_with_exception
+           dependent: :restrict_with_error
   has_many :distributor_shipping_methods,
            inverse_of: :distributor,
            foreign_key: :distributor_id,
-           dependent: :restrict_with_exception
+           dependent: :restrict_with_error
   has_many :payment_methods, through: :distributor_payment_methods
   has_many :shipping_methods, through: :distributor_shipping_methods
   has_many :customers, dependent: :destroy
   has_many :inventory_items, dependent: :destroy
   has_many :tag_rules, dependent: :destroy
   has_one :stripe_account, dependent: :destroy
-  has_many :vouchers, dependent: :restrict_with_exception
+  has_many :vouchers, dependent: :restrict_with_error
   has_many :connected_apps, dependent: :destroy
   has_many :dfc_permissions, dependent: :destroy
   has_one :custom_tab, dependent: :destroy
+  has_one :semantic_link, as: :subject, dependent: :delete
 
   delegate :latitude, :longitude, :city, :state_name, to: :address
 
@@ -110,11 +111,14 @@ class Enterprise < ApplicationRecord
   end
 
   validates :logo,
-            processable_image: true,
-            content_type: %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+            processable_file: true,
+            content_type: ::Spree::Image::ACCEPTED_CONTENT_TYPES
   validates :promo_image,
-            processable_image: true,
-            content_type: %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+            processable_file: true,
+            content_type: ::Spree::Image::ACCEPTED_CONTENT_TYPES
+  validates :white_label_logo,
+            processable_file: true,
+            content_type: ::Spree::Image::ACCEPTED_CONTENT_TYPES
   validates :terms_and_conditions, content_type: {
     in: "application/pdf",
     message: I18n.t(:enterprise_terms_and_conditions_type_error),
@@ -408,7 +412,7 @@ class Enterprise < ApplicationRecord
   def category
     # Make this crazy logic human readable so we can argue about it sanely.
     cat = is_primary_producer ? "producer_" : "non_producer_"
-    cat << ("sells_#{sells}")
+    cat << "sells_#{sells}"
 
     # Map backend cases to front end cases.
     case cat

app/models/enterprise_group.rb

@@ -29,11 +29,11 @@ class EnterpriseGroup < ApplicationRecord
   has_one_attached :promo_image, service: image_service
 
   validates :logo,
-            processable_image: true,
-            content_type: %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+            processable_file: true,
+            content_type: ::Spree::Image::ACCEPTED_CONTENT_TYPES
   validates :promo_image,
-            processable_image: true,
-            content_type: %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+            processable_file: true,
+            content_type: ::Spree::Image::ACCEPTED_CONTENT_TYPES
 
   scope :by_position, -> { order('position ASC') }
   scope :on_front_page, -> { where(on_front_page: true) }

app/models/invoice/data_presenter.rb

@@ -3,6 +3,7 @@
 class Invoice
   class DataPresenter
     include ::ActionView::Helpers::NumberHelper
+
     attr_reader :invoice
 
     delegate :display_number, :data, :previous_invoice, to: :invoice
@@ -142,7 +143,7 @@ class Invoice
     end
 
     def paid?
-      data[:payment_state] == 'paid' || data[:payment_state] == 'credit_owed'
+      ['paid', 'credit_owed'].include?(data[:payment_state])
     end
 
     def outstanding_balance?

app/models/invoice/data_presenter/base.rb

@@ -4,6 +4,7 @@ class Invoice
   class DataPresenter
     class Base
       include ::ActionView::Helpers::NumberHelper
+
       attr_reader :data
 
       def initialize(data)

app/models/product_import/product_importer.rb

@@ -81,17 +81,13 @@ module ProductImport
       @reset_counts
     end
 
-    def enterprises_index
-      @spreadsheet_data.enterprises_index
-    end
+    delegate :enterprises_index, to: :@spreadsheet_data
 
     def enterprise_products
       @processor&.enterprise_products
     end
 
-    def total_enterprise_products
-      @processor.total_enterprise_products
-    end
+    delegate :total_enterprise_products, to: :@processor
 
     def entries_json
       entries = {}
@@ -130,13 +126,9 @@ module ProductImport
       @processor.inventory_updated
     end
 
-    def products_reset_count
-      @processor.products_reset_count
-    end
+    delegate :products_reset_count, to: :@processor
 
-    def total_saved_count
-      @processor.total_saved_count
-    end
+    delegate :total_saved_count, to: :@processor
 
     def import_results
       { entries: entries_json, reset_counts: }
@@ -183,7 +175,7 @@ module ProductImport
     end
 
     def staged_import?
-      @import_settings&.key?(:start) && @import_settings&.key?(:end)
+      @import_settings&.key?(:start) && @import_settings.key?(:end)
     end
 
     def init_permissions

app/models/spree/ability.rb

@@ -143,7 +143,7 @@ module Spree
       can [:admin, :index, :read, :create, :edit, :update_positions, :destroy], ProducerProperty
 
       can :new, TagRule
-      can [:admin, :map_by_tag, :destroy], TagRule do |tag_rule|
+      can [:admin, :map_by_tag, :destroy, :variant_tag_rules], TagRule do |tag_rule|
         user.enterprises.include? tag_rule.enterprise
       end
 
@@ -196,12 +196,15 @@ module Spree
     def add_product_management_abilities(user)
       # Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
+      # An enterperprise user can change a product if they are supplier of at least
+      # one of the product's associated variants
       can [:admin, :read, :index, :update,
            :seo, :group_buy_options,
            :bulk_update, :clone, :delete,
            :destroy], Spree::Product do |product|
-        OpenFoodNetwork::Permissions.new(user).managed_product_enterprises.include?(
-          product.variants.first.supplier
+        variant_suppliers = product.variants.map(&:supplier)
+        OpenFoodNetwork::Permissions.new(user).managed_product_enterprises.intersect?(
+          variant_suppliers
         )
       end
 

app/models/spree/calculator.rb

@@ -31,9 +31,7 @@ module Spree
       self.class.name.titleize.gsub("Calculator/", "")
     end
 
-    def description
-      self.class.description
-    end
+    delegate :description, to: :class
 
     def available?(_object)
       true

app/models/spree/gateway.rb

@@ -34,11 +34,11 @@ module Spree
       @provider.respond_to?(method_name, include_private) || super
     end
 
-    def method_missing(method, *args)
+    def method_missing(method, *)
       if @provider.nil? || !@provider.respond_to?(method)
         super
       else
-        provider.__send__(method, *args)
+        provider.__send__(method, *)
       end
     end
 

app/models/spree/image.rb

@@ -2,6 +2,8 @@
 
 module Spree
   class Image < Asset
+    ACCEPTED_CONTENT_TYPES = %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+
     has_one_attached :attachment, service: image_service do |attachment|
       attachment.variant :mini, resize_to_fill: [48, 48]
       attachment.variant :small, resize_to_fill: [227, 227]
@@ -11,8 +13,8 @@ module Spree
 
     validates :attachment,
               attached: true,
-              processable_image: true,
-              content_type: %r{\Aimage/(png|jpeg|gif|jpg|svg\+xml|webp)\Z}
+              processable_file: true,
+              content_type: ACCEPTED_CONTENT_TYPES
     validate :no_attachment_errors
 
     def self.default_image_url(size)

app/models/spree/order.rb

@@ -35,10 +35,12 @@ module Spree
     belongs_to :created_by, class_name: "Spree::User", optional: true
 
     belongs_to :bill_address, class_name: 'Spree::Address', optional: true
-    alias_attribute :billing_address, :bill_address
+    alias_method :billing_address, :bill_address
+    alias_method :billing_address=, :bill_address=
 
     belongs_to :ship_address, class_name: 'Spree::Address', optional: true
-    alias_attribute :shipping_address, :ship_address
+    alias_method :shipping_address, :ship_address
+    alias_method :shipping_address=, :ship_address=
 
     has_many :state_changes, as: :stateful, dependent: :destroy
     has_many :line_items, -> {
@@ -97,7 +99,7 @@ module Spree
     }
     validate :disallow_guest_order
     validates :email, presence: true,
-                      format: /\A([\w.%+\-']+)@([\w\-]+\.)+(\w{2,})\z/i,
+                      format: /\A([\w.%+\-']+)@([\w-]+\.)+(\w{2,})\z/i,
                       if: :require_email
 
     validates :order_cycle, presence: true, on: :require_distribution
@@ -417,7 +419,7 @@ module Spree
 
     # Helper methods for checkout steps
     def paid?
-      payment_state == 'paid' || payment_state == 'credit_owed'
+      ['paid', 'credit_owed'].include?(payment_state)
     end
 
     # "Checkout" is the initial state and, for card payments, "pending" is the state after auth

app/models/spree/payment.rb

@@ -101,6 +101,24 @@ module Spree
       end
 
       after_transition to: :completed, do: :set_captured_at
+      after_transition do |payment, transition|
+        # Catch any exceptions to prevent any rollback potentially
+        # preventing payment from going through
+        ActiveSupport::Notifications.instrument(
+          "ofn.payment_transition", payment: payment, event: transition.to
+        )
+      rescue StandardError => e
+        Rails.logger.fatal "ActiveSupport::Notification.instrument failed params: " \
+                           "<event_type:ofn.payment_transition> " \
+                           "<payment_id:#{payment.id}> " \
+                           "<event:#{transition.to}>"
+        Alert.raise(
+          e,
+          metadata: {
+            event_tye: "ofn.payment_transition", payment_id: payment.id, event: transition.to
+          }
+        )
+      end
     end
 
     def money

app/models/spree/product.rb

@@ -31,7 +31,8 @@ module Spree
 
     acts_as_paranoid
 
-    searchable_attributes :meta_keywords, :sku, :on_hand, :backorderable_priority
+    searchable_attributes :meta_keywords, :sku, :on_hand, :backorderable_priority,
+                          :backorderable_name
     searchable_associations :properties, :variants
     searchable_scopes :active, :with_properties
 

app/models/spree/shipping_method.rb

@@ -3,6 +3,7 @@
 module Spree
   class ShippingMethod < ApplicationRecord
     include CalculatedAdjustments
+
     DISPLAY_ON_OPTIONS = {
       both: "",
       back_end: "back_end"

app/models/spree/user.rb

@@ -56,8 +56,8 @@ module Spree
 
     # Send devise-based user emails asyncronously via ActiveJob
     # See: https://github.com/heartcombo/devise/tree/v3.5.10#activejob-integration
-    def send_devise_notification(notification, *args)
-      devise_mailer.public_send(notification, self, *args).deliver_later
+    def send_devise_notification(notification, *)
+      devise_mailer.public_send(notification, self, *).deliver_later
     end
 
     def regenerate_reset_password_token

app/models/subscription.rb

@@ -24,8 +24,10 @@ class Subscription < ApplicationRecord
   has_many :proxy_orders, dependent: :destroy
   has_many :orders, through: :proxy_orders
 
-  alias_attribute :billing_address, :bill_address
-  alias_attribute :shipping_address, :ship_address
+  alias_method :billing_address, :bill_address
+  alias_method :billing_address=, :bill_address=
+  alias_method :shipping_address, :ship_address
+  alias_method :shipping_address=, :ship_address=
 
   accepts_nested_attributes_for :subscription_line_items, allow_destroy: true
   accepts_nested_attributes_for :bill_address, :ship_address

app/models/tag_rule.rb

@@ -7,6 +7,8 @@ class TagRule < ApplicationRecord
 
   scope :for, ->(enterprise) { where(enterprise_id: enterprise) }
   scope :prioritised, -> { order('priority ASC') }
+  scope :exclude_inventory, -> { where.not(type: "TagRule::FilterProducts") }
+  scope :exclude_variant, -> { where.not(type: "TagRule::FilterVariants") }
 
   def self.mapping_for(enterprises)
     self.for(enterprises).each_with_object({}) do |rule, mapping|
@@ -20,6 +22,14 @@ class TagRule < ApplicationRecord
     end
   end
 
+  def self.matching_variant_tag_rules_by_enterprises(enterprise_id, tag)
+    rules = where(type: "TagRule::FilterVariants").for(enterprise_id)
+
+    return [] if rules.empty?
+
+    rules.select { |r| r.preferred_variant_tags =~ /#{tag}/ }
+  end
+
   # The following method must be overriden in a concrete tagRule
   def tags
     raise NotImplementedError, 'please use concrete TagRule'

app/models/tag_rule/filter_variants.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class TagRule
+  class FilterVariants < TagRule
+    preference :matched_variants_visibility, :string, default: "visible"
+    preference :variant_tags, :string, default: ""
+
+    def tags_match?(variant)
+      variant_tags = variant&.[]("tag_list") || []
+      preferred_tags = preferred_variant_tags.split(",")
+      variant_tags.intersect?(preferred_tags)
+    end
+
+    def reject_matched?
+      preferred_matched_variants_visibility != "visible"
+    end
+
+    def tags
+      preferred_variant_tags
+    end
+  end
+end

app/models/webhook_endpoint.rb

@@ -2,5 +2,11 @@
 
 # Records a webhook url to send notifications to
 class WebhookEndpoint < ApplicationRecord
+  WEBHOOK_TYPES = %w(order_cycle_opened payment_status_changed).freeze
+
   validates :url, presence: true
+  validates :webhook_type, presence: true, inclusion: { in: WEBHOOK_TYPES }
+
+  scope :order_cycle_opened, -> { where(webhook_type: "order_cycle_opened") }
+  scope :payment_status, -> { where(webhook_type: "payment_status_changed") }
 end

app/serializers/api/admin/enterprise_serializer.rb

@@ -62,7 +62,7 @@ module Api
       #     medium: LOGO_MEDIUM_URL
       #   }
       def attachment_urls(attachment, styles)
-        return unless attachment.variable?
+        return unless attachment.persisted? && attachment.variable?
 
         styles.index_with do |style|
           Rails.application.routes.url_helpers.

app/serializers/api/open_street_map_config_serializer.rb

@@ -8,24 +8,14 @@ module Api
                :open_street_map_default_latitude,
                :open_street_map_default_longitude
 
-    def open_street_map_enabled
-      ContentConfig.open_street_map_enabled
-    end
+    delegate :open_street_map_enabled, to: :ContentConfig
 
-    def open_street_map_provider_name
-      ContentConfig.open_street_map_provider_name
-    end
+    delegate :open_street_map_provider_name, to: :ContentConfig
 
-    def open_street_map_provider_options
-      ContentConfig.open_street_map_provider_options
-    end
+    delegate :open_street_map_provider_options, to: :ContentConfig
 
-    def open_street_map_default_latitude
-      ContentConfig.open_street_map_default_latitude
-    end
+    delegate :open_street_map_default_latitude, to: :ContentConfig
 
-    def open_street_map_default_longitude
-      ContentConfig.open_street_map_default_longitude
-    end
+    delegate :open_street_map_default_longitude, to: :ContentConfig
   end
 end

app/services/embedded_page_service.rb

@@ -36,7 +36,7 @@ class EmbeddedPageService
 
   def embedding_without_https?
     @request.referer && URI(@request.referer).scheme != 'https' &&
-      !Rails.env.test? && !Rails.env.development?
+      !Rails.env.local?
   end
 
   def process_embedded_request

app/services/image_importer.rb

@@ -11,7 +11,9 @@ class ImageImporter
 
     image = Spree::Image.create do |img|
       PrivateAddressCheck.only_public_connections do
-        img.attachment.attach(io: valid_url.open, filename:, metadata:)
+        io = valid_url.open
+        content_type = Marcel::MimeType.for(io)
+        img.attachment.attach(io:, filename:, metadata:, content_type:)
       end
     end
     product.image = image if image

app/services/order_cycles/clone_service.rb

@@ -9,7 +9,7 @@ module OrderCycles
     def create
       oc = @original_order_cycle.dup
       oc.name = I18n.t("models.order_cycle.cloned_order_cycle_name", order_cycle: oc.name)
-      oc.orders_open_at = oc.orders_close_at = oc.mails_sent = oc.processed_at = nil
+      oc.orders_open_at = oc.orders_close_at = oc.mails_sent = oc.processed_at = oc.opened_at = nil
       oc.coordinator_fee_ids = @original_order_cycle.coordinator_fee_ids
       oc.preferred_product_selection_from_coordinator_inventory_only =
         @original_order_cycle.preferred_product_selection_from_coordinator_inventory_only