Add stripe marketplace app

[brozek95]

Summary by CodeRabbit

• New Features

  • Detect and validate Restricted API Keys; admin UI now shows guidance and conditional migration tips; new in-app Settings screen for the Stripe integration.

• Documentation

  • Added README and in-app setup guidance for configuring the Stripe integration and migrating to Restricted API Keys.

• Tests

  • Added tests for Restricted API Key detection.

• Chores

  • Added project config and tooling files for the new UI extension.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec6c5b3d-1e65-4c31-a653-749e3b249b1d

📥 Commits

Reviewing files that changed from the base of the PR and between a3e3238 and 539c493.

📒 Files selected for processing (2)

• spree-commerce/package.json
• spree-commerce/stripe-app.json

✅ Files skipped from review due to trivial changes (1)

• spree-commerce/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• spree-commerce/stripe-app.json

---

Walkthrough

Adds Restricted API Key detection and safer Stripe secret-key validation with distinct permission error handling; updates admin UI with migration alerts and i18n strings; adds tests for the new method; and introduces a Spree Stripe UI extension (manifest, SettingsView, and tooling/config files).

Changes

Cohort / File(s)	Summary
Gateway & Tests app/models/spree_stripe/gateway.rb, spec/models/spree_stripe/gateway_spec.rb	Added restricted_api_key? (checks preferred_secret_key prefix rk_), switched secret-key validation to Stripe::PaymentIntent.list, and added distinct handling/messages for Stripe::PermissionError. Tests for rk_/sk_/nil cases added.
Admin UI & Localization app/views/spree/admin/payment_methods/configuration_guides/_spree_stripe.html.erb, config/locales/en.yml	Inserted a persistent config-guide alert and a conditional migration-tip alert; added i18n keys for migration tip and two new permission/publishable-key error messages.
Stripe App UI & Manifest spree-commerce/src/views/AppSettings.tsx, spree-commerce/stripe-app.json, spree-commerce/README.md	New SettingsView React component, Stripe app manifest declaring restricted API key access and required permission scopes, and README describing app purpose and CLI commands.
Tooling & Config spree-commerce/package.json, spree-commerce/jest.config.js, spree-commerce/tsconfig.json, spree-commerce/ui-extensions.d.ts, spree-commerce/.gitignore	Added package metadata, dependencies, ESLint/Jest/TS configs, type refs, and .gitignore for the Spree Stripe UI extension.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add Payment Sessions support #50 — Modifies SpreeStripe::Gateway payment-intent/session handling; overlaps with validation and gateway changes in this PR.
• Drop activemerchant references #57 — Adjusts gateway return types/behavior; related to gateway-level logic updates here.
• FRE-259 Add Stripe Tax support #30 — Adds public methods to SpreeStripe::Gateway; touches the same class and API surface.

Suggested reviewers

• damianlegawiec
• mad-eel

Poem

🐰 I hopped through keys both sk_ and rk_,
I sniffed the gateway, gave a tiny "eek!"
I planted guides and messages bright,
A Settings view to show the light,
Hop on, the checkout's set to peek! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add stripe marketplace app' accurately describes the main changes: adding a new Stripe app with marketplace/configuration capabilities to the spree_stripe project.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-stripe-marketplace-app

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

spree-commerce/.gitignore (1)

14-17: Consider ignoring base .env to reduce secret-leak risk.

You currently ignore only environment-specific/local variants. If this app uses a plain .env, it can still be committed by mistake. Consider adding .env (and optionally .env.* with an exception for .env.example if needed).

Proposed update

 # misc
 .DS_Store
+.env
+.env.*
+!.env.example
 .env.local
 .env.development.local
 .env.test.local
 .env.production.local

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spree-commerce/.gitignore` around lines 14 - 17, The .gitignore currently
only ignores environment-specific files; add an entry for the base .env to
prevent accidental commits (and optionally add a pattern like .env.* while
explicitly allowing .env.example) so that plain .env is ignored but example
files remain tracked; update the .gitignore to include ".env" and, if desired,
".env.*" with a negation for ".env.example".

app/views/spree/admin/payment_methods/configuration_guides/_spree_stripe.html.erb (1)

3-4: Move the guide text/link label into i18n for consistency.

This partial already uses Spree.t (Line 10), so localizing the first alert text keeps admin UI copy translatable and consistent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@app/views/spree/admin/payment_methods/configuration_guides/_spree_stripe.html.erb`
around lines 3 - 4, The alert text and link label in the partial
_spree_stripe.html.erb should be moved into i18n keys and referenced with
Spree.t to match the existing localization pattern (see existing Spree.t usage
in this partial), so replace the hardcoded string "Please follow" and the link
label passed to external_link_to with calls to Spree.t('...') keys (e.g.
spree.admin.payment_methods.configuration_guides.spree_stripe.prompt and
.link_text), add those keys to the appropriate locale file, and keep using
external_link_to for the URL while passing the localized label.

spree-commerce/stripe-app.json (1)

14-16: Empty content_security_policy.purpose may be a placeholder.

The purpose field is empty. If no external resources are needed, consider removing the content_security_policy block entirely, or add the appropriate purpose description if external connections are required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spree-commerce/stripe-app.json` around lines 14 - 16, The
content_security_policy.purpose field is empty; either remove the entire
content_security_policy block if no CSP explanation is needed, or populate
content_security_policy.purpose with an appropriate description of why a CSP
entry exists (e.g., "allow connections to Stripe webhooks" or "third-party
script authorization") so the intent is clear; update the JSON accordingly and
ensure the resulting structure remains valid and matches any app manifest schema
that expects content_security_policy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/models/spree_stripe/gateway_spec.rb`:
- Line 1017: Replace the hard-coded key-shaped literals that trigger secret
scanners by using non-key-shaped test values or constructing them at runtime;
specifically change assignments to gateway.preferred_secret_key (currently
'rk_live_abc123') and the similar sk_live literal at the other spot to something
like a benign string (e.g. 'test_secret_key') or build the value dynamically
(e.g. ['rk','live','abc123'].join('_')) so the spec no longer contains
key-looking literals but keeps the same semantics for Gateway tests.

In `@spree-commerce/package.json`:
- Around line 10-12: Update the package.json "engines" entry to raise the
Node.js minimum supported version from ">=14" to a current LTS baseline (e.g.,
">=16" or preferably ">=18") so the "engines" field enforces a supported Node
runtime; modify the value of the "node" string under the "engines" object
accordingly and run CI/tests to verify compatibility with the new Node baseline.

In `@spree-commerce/README.md`:
- Line 7: Fix the typo "Instalation" to "Installation" in the README line
containing "Instalation guide: https://docs.stripe.com/stripe-apps/plugins/rak"
and replace the fenced URL block occurrences (the triple-backtick-wrapped URL
and plain raw URL lines like
"https://spreecommerce.org/docs/integrations/payments/stripe") with a normal
Markdown link or angle-bracketed URL (e.g., [Spree Stripe
docs](https://spreecommerce.org/docs/integrations/payments/stripe) or
<https://spreecommerce.org/docs/integrations/payments/stripe>); update all
instances mentioned (the original line and the occurrences around lines 25–27).

In `@spree-commerce/stripe-app.json`:
- Around line 19-72: The permissions manifest is missing the required
`setup_intent_write` permission, which is necessary for creating setup intents
as used by the `SpreeStripe::CreateSetupIntent` class. Add a new permission
entry with `"permission": "setup_intent_write"` and an appropriate `"purpose"`
description to the permissions array to prevent Stripe::PermissionError when
creating setup intents via the gateway.

---

Nitpick comments:
In
`@app/views/spree/admin/payment_methods/configuration_guides/_spree_stripe.html.erb`:
- Around line 3-4: The alert text and link label in the partial
_spree_stripe.html.erb should be moved into i18n keys and referenced with
Spree.t to match the existing localization pattern (see existing Spree.t usage
in this partial), so replace the hardcoded string "Please follow" and the link
label passed to external_link_to with calls to Spree.t('...') keys (e.g.
spree.admin.payment_methods.configuration_guides.spree_stripe.prompt and
.link_text), add those keys to the appropriate locale file, and keep using
external_link_to for the URL while passing the localized label.

In `@spree-commerce/.gitignore`:
- Around line 14-17: The .gitignore currently only ignores environment-specific
files; add an entry for the base .env to prevent accidental commits (and
optionally add a pattern like .env.* while explicitly allowing .env.example) so
that plain .env is ignored but example files remain tracked; update the
.gitignore to include ".env" and, if desired, ".env.*" with a negation for
".env.example".

In `@spree-commerce/stripe-app.json`:
- Around line 14-16: The content_security_policy.purpose field is empty; either
remove the entire content_security_policy block if no CSP explanation is needed,
or populate content_security_policy.purpose with an appropriate description of
why a CSP entry exists (e.g., "allow connections to Stripe webhooks" or
"third-party script authorization") so the intent is clear; update the JSON
accordingly and ensure the resulting structure remains valid and matches any app
manifest schema that expects content_security_policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d656a28c-666c-4ff9-b263-15efd6e0258f

📥 Commits

Reviewing files that changed from the base of the PR and between 18e1f7e and f8f6441.

⛔ Files ignored due to path filters (2)

• spree-commerce/icon.png is excluded by !**/*.png
• spree-commerce/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (12)

• app/models/spree_stripe/gateway.rb
• app/views/spree/admin/payment_methods/configuration_guides/_spree_stripe.html.erb
• config/locales/en.yml
• spec/models/spree_stripe/gateway_spec.rb
• spree-commerce/.gitignore
• spree-commerce/README.md
• spree-commerce/jest.config.js
• spree-commerce/package.json
• spree-commerce/src/views/AppSettings.tsx
• spree-commerce/stripe-app.json
• spree-commerce/tsconfig.json
• spree-commerce/ui-extensions.d.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spree-commerce/stripe-app.json (1)

14-16: Empty content_security_policy.purpose appears incomplete.

The purpose field is set to an empty string. If a custom CSP is not required, consider removing the content_security_policy block entirely. If it is required, provide a meaningful description of the policy's intent.

🧹 Suggested fix: Remove empty CSP block

   "ui_extension": {
     "views": [
       {
         "viewport": "settings",
         "component": "AppSettings"
       }
-    ],
-    "content_security_policy": {
-      "purpose": ""
-    }
+    ]
   },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spree-commerce/stripe-app.json` around lines 14 - 16, The
content_security_policy.purpose field is empty and should not be left blank;
either remove the entire content_security_policy block if no custom CSP is
required, or populate content_security_policy.purpose with a concise description
of the CSP's intent so the JSON reflects its purpose (update the
"content_security_policy" object and specifically the "purpose" property).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spree-commerce/package.json`:
- Around line 6-8: Update the outdated dependency versions in package.json: bump
"stripe" from "^13.4.0" to a current v20.x release, update
"@stripe/ui-extension-sdk" if a newer stable exists, and review
"@stripe/ui-extension-tools" (currently "^0.0.1") to ensure that version is
intentional; also update the pinned resolution for "@types/react" from "^17.0.2"
to a modern matching version (e.g., 19.x) that aligns with your React/SDK
requirements. Modify the dependencies and resolutions entries in package.json
accordingly, run npm/yarn install and run tests or build to verify
compatibility, and adjust any import/type usage in code (search for references
to stripe, `@stripe/ui-extension-sdk`, `@stripe/ui-extension-tools`, and
`@types/react`) to resolve API or type changes introduced by the upgrades.

---

Nitpick comments:
In `@spree-commerce/stripe-app.json`:
- Around line 14-16: The content_security_policy.purpose field is empty and
should not be left blank; either remove the entire content_security_policy block
if no custom CSP is required, or populate content_security_policy.purpose with a
concise description of the CSP's intent so the JSON reflects its purpose (update
the "content_security_policy" object and specifically the "purpose" property).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23261c62-af0f-442c-b011-244f623a8092

📥 Commits

Reviewing files that changed from the base of the PR and between f8f6441 and a3e3238.

📒 Files selected for processing (3)

• spree-commerce/README.md
• spree-commerce/package.json
• spree-commerce/stripe-app.json

🚧 Files skipped from review as they are similar to previous changes (1)

• spree-commerce/README.md