Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

orcaqubits/spree-headless-storefront

Name: spree-headless-storefront
Author: orcaqubits

dist/codex/spree-commerce/skills/spree-headless-storefront/SKILL.md

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins spree-headless-storefront

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Spree Headless Next.js Storefront

Before writing code

Fetch live docs:

Fetch https://github.com/spree/storefront (README) for current setup and customization.
Fetch https://spreecommerce.org/docs/developer/storefront/nextjs/quickstart for the quickstart.
Fetch the Next.js 16 docs for App Router / Server Actions patterns the storefront uses.
Cross-reference https://github.com/spree/sdk for SDK usage.
Check the v5.4 announcement for the storefront's release context.

Conceptual Architecture

The Two Repos

| Repo | Role | |------|------| | spree/spree-starter | Rails backend application | | spree/storefront | Next.js headless storefront |

The storefront talks to the backend exclusively over API v3 (Store API).

Tech Stack

| Layer | Tech | |-------|------| | Framework | Next.js 16 (App Router, Server Actions, Turbopack) | | UI runtime | React 19 (Server Components + Client Components) | | Styling | Tailwind CSS 4 | | Type system | TypeScript 5 | | API client | @spree/sdk with Zod schemas | | Search | MeiliSearch faceted search | | Auth | Server-only — httpOnly JWT cookies + publishable key | | Payments | Stripe Elements / Apple Pay / Google Pay / Link / Klarna / Affirm / SEPA | | Analytics | GA4, JSON-LD, OpenGraph | | Error tracking | Sentry | | Deploy | Vercel (recommended) or Docker |

Prerequisites

Node 20+
Spree backend on 5.4+ (API v3 required)
A publishable key (pk_…) from admin

Project Layout

storefront/
├── app/
│   ├── (storefront)/      # public pages (App Router groups)
│   │   ├── [region]/[locale]/
│   │   │   ├── products/
│   │   │   ├── cart/
│   │   │   └── checkout/
│   │   └── account/
│   ├── api/                # Route Handlers for webhooks etc.
│   ├── layout.tsx
│   └── page.tsx
├── components/
│   ├── ui/                 # Tailwind-styled primitives
│   ├── product/
│   ├── cart/
│   └── checkout/
├── lib/
│   ├── spree.server.ts     # admin/auth client — never imported client-side
│   ├── spree.public.ts     # publishable-key client
│   ├── auth.ts             # Server Action helpers for sign in/out
│   └── meilisearch.ts
├── public/
├── tailwind.config.ts
├── next.config.ts
└── package.json

Auth: Server-Only by Design

The publishable key (pk_…) is the only Spree credential that may reach the browser.
User JWTs live in httpOnly cookies set via Server Actions; never accessible to client JS.
The admin API key never leaves the server bundle. The storefront should never have it set in env.
Cart order_token also in httpOnly cookie.

// app/api/auth/sign-in/route.ts (Route Handler)
import { cookies } from 'next/headers';
import { spreePublic } from '@/lib/spree.public';

export async function POST(req: Request) {
  const { email, password } = await req.json();
  const { access_token, refresh_token, expires_in } = await spreePublic.auth.signIn({ email, password });
  cookies().set('spree_jwt', access_token, {
    httpOnly: true,
    secure: true,
    sameSite: 'lax',
    maxAge: expires_in,
  });
  cookies().set('spree_refresh', refresh_token, { httpOnly: true, secure: true, sameSite: 'lax' });
  return Response.json({ ok: true });
}

Market / Region Routing

URLs follow /[region]/[locale]/...:

/us/en/products/classic-tee
/de/de/produkte/classic-tee

The storefront resolves current_market from the URL, then passes it to the API so backend filters by market-allowed payment methods, shipping methods, prices.

Faceted Catalog via MeiliSearch

The storefront's PLP (Product Listing Page) issues a MeiliSearch query (or hits a Spree API v3 endpoint that proxies to MeiliSearch — verify the live pattern). Facets: brand, color, size, price range, taxon. Typo-tolerant.

Checkout Flow

Cart page — line items, totals, suggested upsells
Address page — bill/ship; pre-filled for logged-in users
Delivery page — pick shipping method (one per shipment)
Payment page — pick payment method, render gateway UI
- Stripe → Stripe Elements / Apple Pay / Google Pay / Link
- Klarna, Affirm, SEPA — Stripe-backed
Review page — final totals, place order
Confirmation — redirect to order page with ord_…

Implemented as one-page with progressive disclosure in the official storefront.

Server Actions for Mutating Calls

// app/(storefront)/cart/actions.ts
'use server';

import { cookies } from 'next/headers';
import { revalidatePath } from 'next/cache';
import { spreePublic } from '@/lib/spree.public';

export async function addToCart(variantId: string, quantity = 1) {
  const orderToken = cookies().get('spree_cart_token')?.value;
  const result = await spreePublic.cart.addItem({ variantId, quantity, orderToken });
  if (!orderToken) {
    cookies().set('spree_cart_token', result.token, { httpOnly: true, secure: true, sameSite: 'lax' });
  }
  revalidatePath('/cart');
  return result;
}

SEO

JSON-LD for Product, BreadcrumbList, Offer, Organization
OpenGraph + Twitter Cards
Sitemap generated by next-sitemap or similar
robots.txt
Translated meta tags per locale
Canonical URLs respecting the region/locale prefix

Analytics

GA4 loaded server-side via next/script
E-commerce events: view_item, add_to_cart, begin_checkout, purchase — fired client-side after Server Action completion
JSON-LD + Schema.org for structured data

Implementation Guidance

Cloning and Running

git clone https://github.com/spree/storefront my-storefront
cd my-storefront
cp .env.example .env.local
# Set:
#   SPREE_API_URL=http://localhost:4000   (your Spree backend)
#   NEXT_PUBLIC_SPREE_PUBLISHABLE_KEY=pk_test_...
#   MEILISEARCH_HOST=http://localhost:7700
#   MEILISEARCH_PUBLIC_KEY=...
npm install
npm run dev  # http://localhost:3000

Customizing Pages

The App Router structure makes customization file-system-based — add or replace files under app/. For shared layout changes, edit the relevant layout.tsx.

Customizing Components

Override Tailwind tokens in tailwind.config.ts:

export default {
  theme: {
    extend: {
      colors: {
        brand: { 500: '#0066ff', 600: '#0052cc' }
      },
      fontFamily: {
        display: ['"Inter Display"', 'sans-serif']
      }
    }
  }
}

For Tailwind 4 specifically, prefer the @theme directive in CSS:

@import 'tailwindcss';

@theme {
  --color-brand-500: oklch(0.6 0.2 250);
  --font-display: 'Inter Display', sans-serif;
}

Adding a New Page

// app/(storefront)/[region]/[locale]/about/page.tsx
export default async function AboutPage({ params }: { params: Promise<{ region: string; locale: string }> }) {
  const { locale } = await params;
  return <main>About {locale}</main>;
}

Next.js 16 wraps params in a Promise — await it.

Hooking Custom Backend Data

If you've added a Metafield or extension field on the backend:

const product = await spreePublic.products.find('prod_...', { expand: ['metafields'] });
const launchDate = product.metafields?.my_app?.launch_date;

Augment SDK types via types/spree.d.ts if you want type safety.

Caching Strategy

| Page | Strategy | |------|----------| | Homepage | ISR — revalidate: 60 | | Product detail | ISR — revalidate: 300 (5 min) | | Cart | Dynamic — dynamic = 'force-dynamic' | | Account | Dynamic | | Order confirmation | Dynamic |

Deployment

Vercel (recommended):

Hook the GitHub repo
Set env vars (SPREE_API_URL, NEXT_PUBLIC_SPREE_PUBLISHABLE_KEY, MeiliSearch creds, Sentry DSN)
Build command: npm run build
Output: standalone

Docker:

The repo ships a Dockerfile
Multi-stage build to reduce image size
Deploy to any container runtime

Common Pitfalls

Importing spree.server.ts from a Client Component — Next.js's 'use server' enforcement is essential; opt into it.
Storing tokens in localStorage — XSS-vulnerable; use httpOnly cookies via Server Actions.
Hardcoding region/locale — breaks multi-market deployments.
Forgetting revalidatePath after Server Actions — stale UI.
MeiliSearch index drift — backend reindexes async; staging vs prod can disagree.
Hardcoding payment-method visibility in UI — let the backend's Market config drive it.
Bundling Sentry on the client with the server DSN — leaks credentials. Use the public DSN.
Pinning Next.js too aggressively — the storefront repo bumps Next.js minor versions; match the storefront's pin.

Always re-fetch the storefront repo's README before customizing — the codebase iterates rapidly with each Spree release.

orcaqubits/spree-headless-storefront

dist/codex/spree-commerce/skills/spree-headless-storefront/SKILL.md

Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.

27 stars

development

Updated May 14, 2026

$ install --global

skillsauth

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins spree-headless-storefront

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 14, 2026, 6:06 AM166.0s1 file scanned

SKILL.md

name:: spree-headless-storefront
description:: >

Spree Headless Next.js Storefront

Before writing code

Fetch live docs:

Fetch https://github.com/spree/storefront (README) for current setup and customization.
Fetch https://spreecommerce.org/docs/developer/storefront/nextjs/quickstart for the quickstart.
Fetch the Next.js 16 docs for App Router / Server Actions patterns the storefront uses.
Cross-reference https://github.com/spree/sdk for SDK usage.
Check the v5.4 announcement for the storefront's release context.

Conceptual Architecture

The Two Repos

| Repo | Role | |------|------| | spree/spree-starter | Rails backend application | | spree/storefront | Next.js headless storefront |

The storefront talks to the backend exclusively over API v3 (Store API).

Tech Stack

Prerequisites

Node 20+
Spree backend on 5.4+ (API v3 required)
A publishable key (pk_…) from admin

Project Layout

storefront/
├── app/
│   ├── (storefront)/      # public pages (App Router groups)
│   │   ├── [region]/[locale]/
│   │   │   ├── products/
│   │   │   ├── cart/
│   │   │   └── checkout/
│   │   └── account/
│   ├── api/                # Route Handlers for webhooks etc.
│   ├── layout.tsx
│   └── page.tsx
├── components/
│   ├── ui/                 # Tailwind-styled primitives
│   ├── product/
│   ├── cart/
│   └── checkout/
├── lib/
│   ├── spree.server.ts     # admin/auth client — never imported client-side
│   ├── spree.public.ts     # publishable-key client
│   ├── auth.ts             # Server Action helpers for sign in/out
│   └── meilisearch.ts
├── public/
├── tailwind.config.ts
├── next.config.ts
└── package.json

Auth: Server-Only by Design

The publishable key (pk_…) is the only Spree credential that may reach the browser.
User JWTs live in httpOnly cookies set via Server Actions; never accessible to client JS.
The admin API key never leaves the server bundle. The storefront should never have it set in env.
Cart order_token also in httpOnly cookie.

// app/api/auth/sign-in/route.ts (Route Handler)
import { cookies } from 'next/headers';
import { spreePublic } from '@/lib/spree.public';

export async function POST(req: Request) {
  const { email, password } = await req.json();
  const { access_token, refresh_token, expires_in } = await spreePublic.auth.signIn({ email, password });
  cookies().set('spree_jwt', access_token, {
    httpOnly: true,
    secure: true,
    sameSite: 'lax',
    maxAge: expires_in,
  });
  cookies().set('spree_refresh', refresh_token, { httpOnly: true, secure: true, sameSite: 'lax' });
  return Response.json({ ok: true });
}

Market / Region Routing

URLs follow /[region]/[locale]/...:

/us/en/products/classic-tee
/de/de/produkte/classic-tee

The storefront resolves current_market from the URL, then passes it to the API so backend filters by market-allowed payment methods, shipping methods, prices.

Faceted Catalog via MeiliSearch

Checkout Flow

Cart page — line items, totals, suggested upsells
Address page — bill/ship; pre-filled for logged-in users
Delivery page — pick shipping method (one per shipment)
Payment page — pick payment method, render gateway UI
- Stripe → Stripe Elements / Apple Pay / Google Pay / Link
- Klarna, Affirm, SEPA — Stripe-backed
Review page — final totals, place order
Confirmation — redirect to order page with ord_…

Implemented as one-page with progressive disclosure in the official storefront.

Server Actions for Mutating Calls

// app/(storefront)/cart/actions.ts
'use server';

import { cookies } from 'next/headers';
import { revalidatePath } from 'next/cache';
import { spreePublic } from '@/lib/spree.public';

export async function addToCart(variantId: string, quantity = 1) {
  const orderToken = cookies().get('spree_cart_token')?.value;
  const result = await spreePublic.cart.addItem({ variantId, quantity, orderToken });
  if (!orderToken) {
    cookies().set('spree_cart_token', result.token, { httpOnly: true, secure: true, sameSite: 'lax' });
  }
  revalidatePath('/cart');
  return result;
}

SEO

JSON-LD for Product, BreadcrumbList, Offer, Organization
OpenGraph + Twitter Cards
Sitemap generated by next-sitemap or similar
robots.txt
Translated meta tags per locale
Canonical URLs respecting the region/locale prefix

Analytics

GA4 loaded server-side via next/script
E-commerce events: view_item, add_to_cart, begin_checkout, purchase — fired client-side after Server Action completion
JSON-LD + Schema.org for structured data

Implementation Guidance

Cloning and Running

git clone https://github.com/spree/storefront my-storefront
cd my-storefront
cp .env.example .env.local
# Set:
#   SPREE_API_URL=http://localhost:4000   (your Spree backend)
#   NEXT_PUBLIC_SPREE_PUBLISHABLE_KEY=pk_test_...
#   MEILISEARCH_HOST=http://localhost:7700
#   MEILISEARCH_PUBLIC_KEY=...
npm install
npm run dev  # http://localhost:3000

Customizing Pages

The App Router structure makes customization file-system-based — add or replace files under app/. For shared layout changes, edit the relevant layout.tsx.

Customizing Components

Override Tailwind tokens in tailwind.config.ts:

export default {
  theme: {
    extend: {
      colors: {
        brand: { 500: '#0066ff', 600: '#0052cc' }
      },
      fontFamily: {
        display: ['"Inter Display"', 'sans-serif']
      }
    }
  }
}

For Tailwind 4 specifically, prefer the @theme directive in CSS:

@import 'tailwindcss';

@theme {
  --color-brand-500: oklch(0.6 0.2 250);
  --font-display: 'Inter Display', sans-serif;
}

Adding a New Page

// app/(storefront)/[region]/[locale]/about/page.tsx
export default async function AboutPage({ params }: { params: Promise<{ region: string; locale: string }> }) {
  const { locale } = await params;
  return <main>About {locale}</main>;
}

Next.js 16 wraps params in a Promise — await it.

Hooking Custom Backend Data

If you've added a Metafield or extension field on the backend:

const product = await spreePublic.products.find('prod_...', { expand: ['metafields'] });
const launchDate = product.metafields?.my_app?.launch_date;

Augment SDK types via types/spree.d.ts if you want type safety.

Caching Strategy

Deployment

Vercel (recommended):

Hook the GitHub repo
Set env vars (SPREE_API_URL, NEXT_PUBLIC_SPREE_PUBLISHABLE_KEY, MeiliSearch creds, Sentry DSN)
Build command: npm run build
Output: standalone

Docker:

The repo ships a Dockerfile
Multi-stage build to reduce image size
Deploy to any container runtime

Common Pitfalls

Importing spree.server.ts from a Client Component — Next.js's 'use server' enforcement is essential; opt into it.
Storing tokens in localStorage — XSS-vulnerable; use httpOnly cookies via Server Actions.
Hardcoding region/locale — breaks multi-market deployments.
Forgetting revalidatePath after Server Actions — stale UI.
MeiliSearch index drift — backend reindexes async; staging vs prod can disagree.
Hardcoding payment-method visibility in UI — let the backend's Market config drive it.
Bundling Sentry on the client with the server DSN — leaks credentials. Use the public DSN.
Pinning Next.js too aggressively — the storefront repo bumps Next.js minor versions; match the storefront's pin.

Always re-fetch the storefront repo's README before customizing — the codebase iterates rapidly with each Spree release.

Related Skills

orcaqubits/spree-extensions

tools

VerifiedTrustedCommunity

Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-extensions

orcaqubits/spree-events-webhooks

development

VerifiedTrustedCommunity

Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-events-webhooks

orcaqubits/spree-dev-patterns

tools

VerifiedTrustedCommunity

Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-dev-patterns

orcaqubits/spree-deployment

development

VerifiedTrustedCommunity

Deploy Spree to production — PostgreSQL + Redis + Sidekiq stack, Docker multi-arch images on GHCR, the `spree-starter` Dockerfile + Compose, Heroku/Render/Fly.io/AWS targets, env-var conventions, RAILS_MASTER_KEY, asset precompilation (Tailwind 4 + Propshaft), Action Cable, MeiliSearch indexing, S3 / ActiveStorage for media, log/observability setup, zero-downtime deploys, and migration strategy. Use when going from local dev to production, scaling Spree, or troubleshooting deploys.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-deployment

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/orcaqubits/agentic-commerce-claude-plugins.git

# Copy into Claude Code skills folder (global)
cp -r agentic-commerce-claude-plugins/dist/codex/spree-commerce/skills/spree-headless-storefront ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

orcaqubits/agentic-commerce-claude-plugins

27 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT