includio-cms 0.15.0 → 0.15.1

package/CHANGELOG.md

@@ -3,6 +3,40 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.15.1 — 2026-04-15
+
+Shop: PayU payment adapter + secure order access (token-gated view API, email link).
+
+### Added
+- Orders now carry an `accessToken` — public order-view API is gated by this token (no enumeration by order number).
+- New `createOrderHandler()` in `includio-cms/shop/http` — `GET /api/shop/orders/[number]?token=...` returns order + items + status history; accepts cookie fallback `aria_shop_order` written on checkout (30-min httpOnly).
+- `ShopConfig.orderViewUrl` template — placeholders `{orderNumber}`, `{orderId}`, `{accessToken}`, `{language}`. Default: `/shop/order/{orderNumber}?token={accessToken}`. When set to an absolute URL, status emails include a "View order" button.
+- New `createPaymentWebhookHandler()` — mount at `/api/shop/webhooks/[provider]/+server.ts`. Dispatches to the matching `PaymentAdapter.handleWebhook`, maps payment event to order status, and is idempotent (terminal orders ack 200 no-op — safe against provider retries). 400 on bad signature, 200 on unknown order.
+- Checkout now calls `PaymentAdapter.createPayment()` after the order is created. The response exposes `paymentStatus`, `requiresPaymentRedirect`, `redirectUrl`, and `accessToken` so the frontend can redirect to the gateway and deep-link back to the order view.
+- Orders store `paymentProviderRef` — the external id returned by the payment adapter (e.g. PayU orderId). Used to correlate webhooks and future refunds/status polls.
+- New `payuAdapter()` — OAuth token caching, create order (REST v2.1), MD5 `OpenPayU-Signature` verification on webhooks, full PayU status mapping (including REJECTED and WAITING_FOR_CONFIRMATION). Import from `includio-cms/shop`.
+- `PaymentAdapter.createPayment()` receives an optional `{ customerIp, language }` context, threaded from the SvelteKit request in the built-in checkout handler.
+- Shipping ↔ payment compatibility: `shop_shipping_methods.allowed_payment_methods` (jsonb string[] | null). Null/empty = any payment method allowed; otherwise checkout rejects the order when the chosen payment is not in the list (e.g. disable COD for paczkomat). The shipping-methods API exposes the list so the frontend can filter payment options per shipping choice.
+- Admin: shipping method form now exposes an "allowed payment methods" section with a restrict toggle + multi-select of configured payment adapters. `getShopConfig` remote returns the payment adapter list (id + i18n label).
+- New optional `PaymentAdapter.getStatus(providerRef)` for provider-side polling, plus `createRefreshPaymentHandler()` mounted at `/api/shop/orders/[number]/refresh-payment`. Token-gated (same as order view). Used as a safety net when a webhook is lost — PayU adapter implements it out of the box.
+- Retry payment — `createRetryPaymentHandler()` at `POST /api/shop/orders/[number]/retry-payment`. Reuses the same order, creates a fresh payment session via the adapter, stores the new `paymentProviderRef`. Status `paymentRejected` is rolled back to `awaitingPayment`. Terminal states return 409.
+- Shop SDK: new `orders` namespace on `createShopClient()` — `get(number, token)`, `refreshPayment(number, token)`, `retryPayment(number, token)`. All response types exported from `includio-cms/shop/client`.
+- Headless Svelte 5 helper `createOrderState({ number, token, initialData? })` — reactive state class with `data/loading/error/phase`, `load()`, `refreshPayment()`, `retry()`, `startPolling()/stopPolling()`. Supports SSR via `initialData`.
+- Generic `<OrderStatus />` Svelte component — drop-in order view with awaiting/success/rejected states, auto-polling, retry button, status timeline. Full theming via CSS custom properties and `::part()`. Import from `includio-cms/shop/svelte`.
+- Docs: new section covering the shop module, order view patterns (generic vs headless), and retry lifecycle.
+
+### Migration
+
+```sql
+ALTER TABLE shop_orders ADD COLUMN access_token uuid NOT NULL DEFAULT gen_random_uuid();
+ALTER TABLE shop_orders ADD COLUMN payment_provider_ref text;
+ALTER TABLE shop_shipping_methods ADD COLUMN allowed_payment_methods jsonb;
+```
+
+### Notes
+
+Requires `gen_random_uuid()` (pgcrypto or Postgres 13+). Existing orders get a fresh random token on migration — pre-existing customer links keep working because order view links were not shipped before this version.
+
 ## 0.15.0 — 2026-04-14
 
 Shop module MVP — headless e-commerce: products, cart, orders, payments, emails

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.15.0)
+# Includio CMS Documentation (v0.15.1)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 
@@ -4297,6 +4297,236 @@ Options for `create`/`createAndPublish`: `{ skipValidation?, sortOrder?, lang? }
 > **Delete Restrictions:** Only archived entries can be permanently deleted. Call `archive` first, then `delete`.
 
 
+---
+
+# Shop
+
+Headless e-commerce module. Optional — activate by adding `shop: defineShop({...})` to your CMS config.
+
+> Shop is in beta. API may change between 0.15.x patches.
+
+## What you get
+
+- **Products as entries** — add `{ type: 'shop', slug: 'shop' }` to any collection; its entries become purchasable.
+- **Cart** — signed cookie, headless SDK (`createShopClient()`), `POST/PATCH/DELETE /api/shop/cart`.
+- **Checkout + orders** — `POST /api/shop/checkout` creates an order with consent validation, stock reservation (30-min TTL), and status emails.
+- **Payment adapters** — `manualAdapter()` (bank transfer / COD) and `payuAdapter()` ship built-in; plug your own by implementing `PaymentAdapter`.
+- **Webhook infrastructure** — `createPaymentWebhookHandler()` dispatches provider callbacks, verifies signatures, is idempotent.
+- **Secure order view** — per-order `accessToken` + cookie fallback + `GET /api/shop/orders/[number]` token-gated API.
+- **Shipping ↔ payment compatibility** — restrict payment methods per shipping (e.g. no COD for paczkomat).
+
+## Config
+
+```ts
+import { defineShop, manualAdapter, payuAdapter } from 'includio-cms/shop';
+
+export const cmsConfig = defineCMS({
+  shop: defineShop({
+    currency: 'PLN',
+    vatRates: [23, 8, 0],
+    orderViewUrl: `${process.env.PUBLIC_URL}/shop/order/{orderNumber}?token={accessToken}`,
+    payment: [
+      manualAdapter({ id: 'transfer', label: { pl: 'Przelew', en: 'Bank transfer' } }),
+      payuAdapter({
+        posId: process.env.PAYU_POS_ID!,
+        clientId: process.env.PAYU_CLIENT_ID!,
+        clientSecret: process.env.PAYU_CLIENT_SECRET!,
+        secondKey: process.env.PAYU_SECOND_KEY!,
+        environment: 'sandbox',
+        notifyUrl: `${process.env.PUBLIC_URL}/api/shop/webhooks/payu`
+      })
+    ],
+    features: { variants: true, stock: true },
+    consents: [{ id: 'terms', required: true, labelI18n: { pl: 'Akceptuję regulamin', en: 'I accept terms' } }]
+  })
+})
+```
+
+## Routes
+
+Scaffold provisions these endpoints in your app:
+
+| Path | Handler | Purpose |
+|------|---------|---------|
+| `POST /api/shop/cart` | `createCartHandler()` | Cart CRUD |
+| `GET /api/shop/shipping-methods` | `createShippingMethodsHandler()` | List active shipping |
+| `POST /api/shop/checkout` | `createCheckoutHandler()` | Create order + initiate payment |
+| `GET /api/shop/orders/[number]` | `createOrderHandler()` | Token-gated order view |
+| `POST /api/shop/orders/[number]/refresh-payment` | `createRefreshPaymentHandler()` | Pull status from provider |
+| `POST /api/shop/orders/[number]/retry-payment` | `createRetryPaymentHandler()` | New payment attempt |
+| `POST /api/shop/webhooks/[provider]` | `createPaymentWebhookHandler()` | Provider callbacks |
+
+## See also
+
+- [Order view](/docs/shop/order-view) — generic `<OrderStatus>` component + headless helper
+- [Retry payment](/docs/shop/retry-payment) — lifecycle + endpoint
+
+
+---
+
+# Order view
+
+After checkout the customer needs a page that shows their order status, payment outcome, and retry options. Shop offers two paths — a batteries-included component for quick projects, and a headless helper for custom designs.
+
+## 1. Generic component (`<OrderStatus />`)
+
+Drop-in view with three visual states (awaiting payment / success / rejected), auto-polling, retry button, status timeline. Theme through CSS custom properties.
+
+```svelte
+<!-- src/routes/shop/order/[number]/+page.svelte -->
+<OrderStatus {number} {token} />
+```
+
+### Theming
+
+All styling sits on CSS variables — override in your page or app.css:
+
+```css
+.aria-order-status {
+  --shop-bg: #171717;
+  --shop-fg: #f2e9e1;
+  --shop-muted: rgba(242, 233, 225, 0.6);
+  --shop-accent: #f2e9e1;
+  --shop-success: #8fb58c;
+  --shop-error: #c44b4b;
+  --shop-border: rgba(242, 233, 225, 0.15);
+  --shop-radius: 2px;
+  --shop-font-display: 'Syncopate', sans-serif;
+  --shop-font-body: 'Figtree', sans-serif;
+}
+```
+
+Fine-grained overrides via `part="..."` selectors:
+
+```css
+.aria-order-status::part(title) { text-transform: uppercase; }
+.aria-order-status::part(btn-retry) { letter-spacing: 0.08em; }
+```
+
+### Props
+
+| Prop | Type | Notes |
+|------|------|-------|
+| `number` | `string` | Order number (from URL) |
+| `token` | `string?` | Access token from `?token=`; falls back to cookie |
+| `initialData` | `OrderDetailResponse?` | SSR snapshot from `+page.server.ts` |
+| `labels` | `Partial<OrderStatusLabels>` | Override copy (Polish by default) |
+| `autoPoll` | `boolean` | Default `true` — polls every 5s when status is `awaitingPayment` |
+| `onPaid` | `(data) => void` | Fires the first time status becomes `paid` |
+
+### SSR
+
+Fetch on the server for instant render and email-from-SPA support:
+
+```ts
+// +page.server.ts
+import { createShopClient } from 'includio-cms/shop/client';
+import { readOrderTokenCookie } from 'includio-cms/shop/client'; // exposed from shop module
+
+export const load = async ({ params, url, cookies, fetch }) => {
+  const client = createShopClient({ fetch });
+  const token = url.searchParams.get('token') ?? undefined;
+  try {
+    const initialData = await client.orders.get(params.number, token);
+    return { initialData, token };
+  } catch {
+    return { initialData: null, token };
+  }
+};
+```
+
+## 2. Custom UI (headless)
+
+For fully custom designs, use `createOrderState` — a reactive Svelte 5 state object. Build whatever markup you want.
+
+```svelte
+{#if order.loading && !order.data}
+  <p>Ładowanie…</p>
+{:else if order.data}
+  {@const o = order.data.order}
+  <h1>Zamówienie {o.number}</h1>
+  <p>Status: {o.status}</p>
+
+  {#if o.status === 'awaitingPayment' || o.status === 'paymentRejected'}
+    <button onclick={handleRetry} disabled={order.phase === 'retrying'}>
+      Zapłać ponownie
+    </button>
+  {/if}
+{/if}
+```
+
+### State API
+
+- `order.data` — `OrderDetailResponse | null`
+- `order.loading` — initial fetch flag
+- `order.error` — last error (`Error | null`)
+- `order.phase` — `'idle' | 'polling' | 'retrying' | 'refreshing'`
+- `order.status` — shorthand for `data.order.status`
+- `order.load()` — fetch fresh data
+- `order.refreshPayment()` — ask provider for latest (useful if webhook is lost)
+- `order.retry()` — create new payment attempt, returns `redirectUrl | null`
+- `order.startPolling() / stopPolling()` — auto-refresh every 5s (max 2min), stops on terminal status
+- `order.dispose()` — clear timers (call in `onDestroy`)
+
+## Security
+
+- Every order has an `accessToken` (uuid). The view API (`/api/shop/orders/[number]`) requires it in `?token=` or in the `aria_shop_order` cookie (same-browser fallback, 30-min httpOnly).
+- Status emails include the full URL with token — the customer can return from any device.
+- Order numbers are Crockford base32 but token-gating prevents enumeration regardless.
+
+
+---
+
+# Retry payment
+
+When a payment attempt is rejected or left hanging, the customer must be able to try again without going through checkout a second time.
+
+## Lifecycle
+
+1. Customer completes checkout → order created with status `awaitingPayment`, adapter creates a payment session, `paymentProviderRef` stored.
+2. Something goes wrong — customer cancels on gateway, card declined, session expires → webhook flips status to `paymentRejected` (or stays `awaitingPayment` if the gateway never called back).
+3. Customer hits "Zapłać ponownie" on the order view.
+4. `POST /api/shop/orders/[number]/retry-payment?token=...` →
+   - token-gated, status must be `awaitingPayment` or `paymentRejected` (409 otherwise)
+   - adapter's `createPayment()` is called again with the same `OrderRef`
+   - new `paymentProviderRef` replaces the old one
+   - if coming from `paymentRejected`, status rolls back to `awaitingPayment` (logged in status history as `changedBy: 'retry-payment'`)
+   - response contains `redirectUrl` for the new gateway session
+
+## SDK
+
+```ts
+import { createShopClient } from 'includio-cms/shop/client';
+
+const client = createShopClient();
+const result = await client.orders.retryPayment(orderNumber, token);
+
+if (result.requiresPaymentRedirect && result.redirectUrl) {
+  window.location.href = result.redirectUrl;
+}
+```
+
+## With `createOrderState`
+
+The headless helper handles the redirect for you — it returns the URL, you navigate:
+
+```ts
+const url = await order.retry();
+if (url) window.location.href = url;
+```
+
+## Constraints
+
+- The same order is reused — numbers, tokens, items, totals stay the same.
+- Terminal statuses (`paid`, `done`, `cancelled`) block retry with **409**.
+- Orders without a payment method or whose adapter was removed from config return **400**.
+- Adapter errors bubble up as **502**.
+
+## Admin override
+
+If the customer is completely stuck, the admin can manually move the order to `paid` / `cancelled` from the orders detail page — same as before, status-change emails trigger automatically.
+
+
 ---
 
 # Migration Guide

package/ROADMAP.md

@@ -303,8 +303,8 @@
 - [x] `[feature]` `[P0]` Admin orders view — list (status + email filter), detail (items, history, customer/address/consents, change status, resend email)
 - [x] `[feature]` `[P0]` Random Crockford base32 order numbers (`XXXXX-XXXXX`), unguessable
 - [x] `[feature]` `[P0]` CLI scaffold provisions all shop routes (admin + public API) in consumer app
-- [ ] `[feature]` `[P1]` Stripe payment adapter + webhook — deferred to 0.15.1
-- [ ] `[feature]` `[P1]` PayU payment adapter + webhook — deferred to 0.15.2
+- [x] `[feature]` `[P1]` PayU payment adapter + webhook — shipped in 0.15.1 (access-token-gated order view, idempotent webhooks, MD5 signature, shipping↔payment compat, poll fallback)
+- [ ] `[feature]` `[P1]` Stripe payment adapter + webhook — deferred to 0.15.2
 - [ ] `[feature]` `[P2]` InPost carrier adapter (headless geowidget config) — deferred to 0.15.3
 - [x] `[feature]` `[P2]` `nodemailerAdapter` — typowanie `transportOptions` jako `SMTPTransport.Options` (OAuth2, pool, itd.)
 

package/dist/admin/client/shop/shipping-method-edit-page.svelte

@@ -104,6 +104,7 @@
 		<ShippingMethodForm
 			languages={configQuery.current.languages}
 			vatRates={configQuery.current.vatRates}
+			paymentMethods={configQuery.current.paymentMethods}
 			initial={methodQuery.current}
 			{saving}
 			{errorMessage}

package/dist/admin/client/shop/shipping-method-form.svelte

@@ -3,6 +3,10 @@
 	import { Switch } from '../../../components/ui/switch/index.js';
 
 	type CarrierType = 'none' | 'inpost';
+	export interface PaymentMethodOption {
+		id: string;
+		label: Record<string, string>;
+	}
 	export interface ShippingFormPayload {
 		name: Record<string, string>;
 		description: Record<string, string> | null;
@@ -10,6 +14,7 @@
 		vatRate: number;
 		carrierType: CarrierType;
 		conditions: { freeAbove?: number } | null;
+		allowedPaymentMethods: string[] | null;
 		isActive: boolean;
 		sortOrder: number | null;
 	}
@@ -20,6 +25,7 @@
 		vatRate?: number;
 		carrierType?: string;
 		conditions?: { freeAbove?: number } | null;
+		allowedPaymentMethods?: string[] | null;
 		isActive?: boolean;
 		sortOrder?: number | null;
 	}
@@ -27,6 +33,7 @@
 	interface Props {
 		languages: string[];
 		vatRates: number[];
+		paymentMethods?: PaymentMethodOption[];
 		initial?: ShippingFormInitial | null;
 		saving?: boolean;
 		errorMessage?: string | null;
@@ -37,6 +44,7 @@
 	const {
 		languages,
 		vatRates,
+		paymentMethods = [],
 		initial = null,
 		saving = false,
 		errorMessage = null,
@@ -87,6 +95,26 @@
 	}
 	let carrierType = $state<CarrierType>((initial?.carrierType as CarrierType) ?? 'none');
 	let isActive = $state(initial?.isActive ?? true);
+	// null/undefined = no restriction (all allowed); otherwise a whitelist.
+	let restrictPayments = $state(
+		Array.isArray(initial?.allowedPaymentMethods) && (initial?.allowedPaymentMethods?.length ?? 0) > 0
+	);
+	let allowedPaymentIds = $state<string[]>(
+		Array.isArray(initial?.allowedPaymentMethods) ? [...(initial?.allowedPaymentMethods ?? [])] : []
+	);
+
+	function togglePaymentMethod(id: string, checked: boolean) {
+		if (checked) {
+			if (!allowedPaymentIds.includes(id)) allowedPaymentIds = [...allowedPaymentIds, id];
+		} else {
+			allowedPaymentIds = allowedPaymentIds.filter((x) => x !== id);
+		}
+	}
+
+	function paymentLabel(p: PaymentMethodOption): string {
+		const first = languages[0] ?? 'pl';
+		return p.label[first] ?? Object.values(p.label)[0] ?? p.id;
+	}
 	let freeAboveEnabled = $state(initial?.conditions?.freeAbove != null);
 	let freeAbove = $state(
 		initial?.conditions?.freeAbove != null
@@ -104,6 +132,7 @@
 			conditions: freeAboveEnabled
 				? { freeAbove: Math.round(parseFloat(freeAbove || '0') * 100) }
 				: null,
+			allowedPaymentMethods: restrictPayments ? allowedPaymentIds : null,
 			isActive,
 			sortOrder: initial?.sortOrder ?? null
 		});
@@ -226,6 +255,42 @@
 		{/if}
 	</section>
 
+	{#if paymentMethods.length > 0}
+		<section class="border-border bg-card space-y-4 rounded-xl border p-6">
+			<h2 class="text-lg font-bold">Dozwolone metody płatności</h2>
+			<p class="text-muted-foreground text-sm">
+				Ogranicz metody płatności dla tej dostawy (np. wyłącz płatność za pobraniem dla
+				paczkomatu). Jeśli wyłączone — wszystkie skonfigurowane metody są dostępne.
+			</p>
+			<label class="flex items-center gap-2">
+				<Switch bind:checked={restrictPayments} />
+				<span class="text-sm">Ogranicz metody płatności</span>
+			</label>
+			{#if restrictPayments}
+				<div class="space-y-2 pl-2">
+					{#each paymentMethods as p (p.id)}
+						<label class="flex items-center gap-2">
+							<input
+								type="checkbox"
+								checked={allowedPaymentIds.includes(p.id)}
+								onchange={(e) =>
+									togglePaymentMethod(p.id, (e.currentTarget as HTMLInputElement).checked)}
+							/>
+							<span class="text-sm">{paymentLabel(p)}</span>
+							<span class="text-muted-foreground text-xs">({p.id})</span>
+						</label>
+					{/each}
+					{#if allowedPaymentIds.length === 0}
+						<p class="text-xs text-amber-700">
+							Wybierz co najmniej jedną metodę, inaczej checkout dla tej dostawy będzie
+							zablokowany.
+						</p>
+					{/if}
+				</div>
+			{/if}
+		</section>
+	{/if}
+
 	<section class="border-border bg-card space-y-4 rounded-xl border p-6">
 		<h2 class="text-lg font-bold">Przewoźnik</h2>
 		<label class="block">

package/dist/admin/client/shop/shipping-method-form.svelte.d.ts

@@ -1,4 +1,8 @@
 type CarrierType = 'none' | 'inpost';
+export interface PaymentMethodOption {
+    id: string;
+    label: Record<string, string>;
+}
 export interface ShippingFormPayload {
     name: Record<string, string>;
     description: Record<string, string> | null;
@@ -8,6 +12,7 @@ export interface ShippingFormPayload {
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
     isActive: boolean;
     sortOrder: number | null;
 }
@@ -20,12 +25,14 @@ export interface ShippingFormInitial {
     conditions?: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods?: string[] | null;
     isActive?: boolean;
     sortOrder?: number | null;
 }
 interface Props {
     languages: string[];
     vatRates: number[];
+    paymentMethods?: PaymentMethodOption[];
     initial?: ShippingFormInitial | null;
     saving?: boolean;
     errorMessage?: string | null;

package/dist/admin/client/shop/shipping-method-new-page.svelte

@@ -39,6 +39,7 @@
 		<ShippingMethodForm
 			languages={configQuery.current.languages}
 			vatRates={configQuery.current.vatRates}
+			paymentMethods={configQuery.current.paymentMethods}
 			{saving}
 			{errorMessage}
 			onsubmit={handleSubmit}

package/dist/admin/remote/shop.remote.d.ts

@@ -4,6 +4,10 @@ export declare const getShopConfig: import("@sveltejs/kit").RemoteQueryFunction<
     vatRates: number[];
     features: Required<import("../../shop/types.js").ShopFeatures>;
     languages: import("../../types/languages.js").Language[];
+    paymentMethods: {
+        id: string;
+        label: import("../../shop/types.js").I18nText;
+    }[];
 } | null>;
 export declare const listShopProductEntries: import("@sveltejs/kit").RemoteQueryFunction<void, import("../../shop/server/shop-data.js").ShopEntryListItem[]>;
 export declare const getShopDataForEntry: import("@sveltejs/kit").RemoteQueryFunction<string, import("../../shop/server/shop-data.js").ShopDataWithVariants | null>;
@@ -40,6 +44,7 @@ export declare const listShippingMethodsAdmin: import("@sveltejs/kit").RemoteQue
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
 }[]>;
 export declare const getShippingMethodForAdmin: import("@sveltejs/kit").RemoteQueryFunction<string, {
     id: string;
@@ -54,6 +59,7 @@ export declare const getShippingMethodForAdmin: import("@sveltejs/kit").RemoteQu
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
 } | null>;
 export declare const createShippingMethodCmd: import("@sveltejs/kit").RemoteCommand<{
     name: Record<string, string>;
@@ -64,6 +70,7 @@ export declare const createShippingMethodCmd: import("@sveltejs/kit").RemoteComm
     conditions?: {
         freeAbove?: number | undefined;
     } | null | undefined;
+    allowedPaymentMethods?: string[] | null | undefined;
     isActive?: boolean | undefined;
     sortOrder?: number | null | undefined;
 }, Promise<{
@@ -79,6 +86,7 @@ export declare const createShippingMethodCmd: import("@sveltejs/kit").RemoteComm
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
 }>>;
 export declare const updateShippingMethodCmd: import("@sveltejs/kit").RemoteCommand<{
     id: string;
@@ -91,6 +99,7 @@ export declare const updateShippingMethodCmd: import("@sveltejs/kit").RemoteComm
         conditions?: {
             freeAbove?: number | undefined;
         } | null | undefined;
+        allowedPaymentMethods?: string[] | null | undefined;
         isActive?: boolean | undefined;
         sortOrder?: number | null | undefined;
     };
@@ -107,6 +116,7 @@ export declare const updateShippingMethodCmd: import("@sveltejs/kit").RemoteComm
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
 }>>;
 export declare const deleteShippingMethodCmd: import("@sveltejs/kit").RemoteCommand<string, Promise<{
     success: boolean;
@@ -126,6 +136,7 @@ export declare const listOrdersAdmin: import("@sveltejs/kit").RemoteQueryFunctio
     createdAt: Date;
     updatedAt: Date;
     language: string | null;
+    accessToken: string;
     consents: {
         id: string;
         accepted: boolean;
@@ -145,6 +156,7 @@ export declare const listOrdersAdmin: import("@sveltejs/kit").RemoteQueryFunctio
     shippingMethodId: string | null;
     carrierRef: string | null;
     paymentMethod: string | null;
+    paymentProviderRef: string | null;
     notes: string | null;
 }[]>;
 export declare const getOrderForAdmin: import("@sveltejs/kit").RemoteQueryFunction<string, {
@@ -155,6 +167,7 @@ export declare const getOrderForAdmin: import("@sveltejs/kit").RemoteQueryFuncti
         createdAt: Date;
         updatedAt: Date;
         language: string | null;
+        accessToken: string;
         consents: {
             id: string;
             accepted: boolean;
@@ -174,6 +187,7 @@ export declare const getOrderForAdmin: import("@sveltejs/kit").RemoteQueryFuncti
         shippingMethodId: string | null;
         carrierRef: string | null;
         paymentMethod: string | null;
+        paymentProviderRef: string | null;
         notes: string | null;
     };
     items: {
@@ -208,6 +222,7 @@ export declare const updateOrderStatusCmd: import("@sveltejs/kit").RemoteCommand
     createdAt: Date;
     updatedAt: Date;
     language: string | null;
+    accessToken: string;
     consents: {
         id: string;
         accepted: boolean;
@@ -227,6 +242,7 @@ export declare const updateOrderStatusCmd: import("@sveltejs/kit").RemoteCommand
     shippingMethodId: string | null;
     carrierRef: string | null;
     paymentMethod: string | null;
+    paymentProviderRef: string | null;
     notes: string | null;
 }>>;
 export declare const resendOrderEmailCmd: import("@sveltejs/kit").RemoteCommand<{

package/dist/admin/remote/shop.remote.js

@@ -18,7 +18,8 @@ export const getShopConfig = query(async () => {
         currency: shop.currency,
         vatRates: shop.vatRates,
         features: shop.features,
-        languages: getCMS().languages
+        languages: getCMS().languages,
+        paymentMethods: shop.payment.map((p) => ({ id: p.id, label: p.label }))
     };
 });
 export const listShopProductEntries = query(async () => {
@@ -66,6 +67,7 @@ const shippingMethodInputSchema = z.object({
         .object({ freeAbove: z.number().int().nonnegative().optional() })
         .nullable()
         .optional(),
+    allowedPaymentMethods: z.array(z.string()).nullable().optional(),
     isActive: z.boolean().optional(),
     sortOrder: z.number().int().nullable().optional()
 });

package/dist/cli/scaffold/admin.js

@@ -214,6 +214,38 @@ export const { GET } = createShippingMethodsHandler();
 import { createCheckoutHandler } from 'includio-cms/shop/http';
 
 export const { POST } = createCheckoutHandler();
+`
+        },
+        {
+            path: 'api/shop/orders/[number]/+server.ts',
+            content: `${GENERATED_COMMENT_TS}
+import { createOrderHandler } from 'includio-cms/shop/http';
+
+export const { GET } = createOrderHandler();
+`
+        },
+        {
+            path: 'api/shop/webhooks/[provider]/+server.ts',
+            content: `${GENERATED_COMMENT_TS}
+import { createPaymentWebhookHandler } from 'includio-cms/shop/http';
+
+export const { POST } = createPaymentWebhookHandler();
+`
+        },
+        {
+            path: 'api/shop/orders/[number]/refresh-payment/+server.ts',
+            content: `${GENERATED_COMMENT_TS}
+import { createRefreshPaymentHandler } from 'includio-cms/shop/http';
+
+export const { POST } = createRefreshPaymentHandler();
+`
+        },
+        {
+            path: 'api/shop/orders/[number]/retry-payment/+server.ts',
+            content: `${GENERATED_COMMENT_TS}
+import { createRetryPaymentHandler } from 'includio-cms/shop/http';
+
+export const { POST } = createRetryPaymentHandler();
 `
         },
         {

package/dist/db-postgres/schema/shop/order.d.ts

@@ -296,6 +296,23 @@ export declare const shopOrdersTable: import("drizzle-orm/pg-core/table", { with
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        paymentProviderRef: import("drizzle-orm/pg-core", { with: { "resolution-mode": "require" } }).PgColumn<{
+            name: "payment_provider_ref";
+            tableName: "shop_orders";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         consents: import("drizzle-orm/pg-core", { with: { "resolution-mode": "require" } }).PgColumn<{
             name: "consents";
             tableName: "shop_orders";
@@ -357,6 +374,23 @@ export declare const shopOrdersTable: import("drizzle-orm/pg-core/table", { with
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        accessToken: import("drizzle-orm/pg-core", { with: { "resolution-mode": "require" } }).PgColumn<{
+            name: "access_token";
+            tableName: "shop_orders";
+            dataType: "string";
+            columnType: "PgUUID";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         createdAt: import("drizzle-orm/pg-core", { with: { "resolution-mode": "require" } }).PgColumn<{
             name: "created_at";
             tableName: "shop_orders";