includio-cms 0.15.0 → 0.15.2

package/CHANGELOG.md

@@ -3,6 +3,67 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.15.2 — 2026-04-15
+
+Shop: cena przechowywana jako numeric(20,6) — eliminacja driftu brutto/netto po reload; toggle netto/brutto per wariant.
+
+### Added
+- Warianty produktu mają teraz toggle netto/brutto obok pola "Zmiana ceny" — spójne z toggle'em ceny bazowej. Delta zapisywana kanonicznie jako netto.
+
+### Fixed
+- Shop: po wpisaniu ceny brutto (np. 65,00 zł przy VAT 23%) i refreshu, cena nie "ucieka" o ±1 grosz. Wartości przechowywane są jako PLN z 6 miejscami po przecinku (wzorzec PrestaShop), zamiast jednostek groszy — brutto zawsze odtwarzane z netto bez utraty informacji.
+- Shipping: ta sama poprawka dla ceny metody wysyłki (stored jako netto PLN z 6dp).
+
+### Breaking
+- Kolumny `shop_products.base_price`, `shop_product_variants.price_delta`, `shop_shipping_methods.price` zmieniły typ z `integer` (grosze) na `numeric(20,6)` (PLN). Snapshot zamówienia (`shop_orders.*`, `shop_order_items.price_*_snapshot`) pozostaje w groszach (`integer`) — KSeF-compatible.
+- Publiczne typy `ShopDataWithVariants.basePrice`, `VariantRow.priceDelta`, `ShippingMethodRow.price` — wartość dalej `number`, ale wyrażona w PLN (nie groszach). Dla konsumentów SDK/populate: mnożenie × 100 jeśli potrzebujesz groszy.
+
+### Migration
+
+```sql
+ALTER TABLE shop_products ALTER COLUMN base_price TYPE numeric(20,6) USING (base_price::numeric / 100);
+ALTER TABLE shop_product_variants ALTER COLUMN price_delta TYPE numeric(20,6) USING (price_delta::numeric / 100);
+ALTER TABLE shop_shipping_methods ALTER COLUMN price TYPE numeric(20,6) USING (price::numeric / 100);
+```
+
+### Notes
+
+Migrację SQL trzeba uruchomić RAZ, PRZED `db:push` — dzieli istniejące wartości ÷100, bo stare dane były w groszach, a nowy typ przechowuje PLN. Po migracji `db:push` tylko zsynchronizuje schemat (bez zmiany danych).
+
+## 0.15.1 — 2026-04-15
+
+Shop: PayU payment adapter + secure order access (token-gated view API, email link).
+
+### Added
+- Orders now carry an `accessToken` — public order-view API is gated by this token (no enumeration by order number).
+- New `createOrderHandler()` in `includio-cms/shop/http` — `GET /api/shop/orders/[number]?token=...` returns order + items + status history; accepts cookie fallback `aria_shop_order` written on checkout (30-min httpOnly).
+- `ShopConfig.orderViewUrl` template — placeholders `{orderNumber}`, `{orderId}`, `{accessToken}`, `{language}`. Default: `/shop/order/{orderNumber}?token={accessToken}`. When set to an absolute URL, status emails include a "View order" button.
+- New `createPaymentWebhookHandler()` — mount at `/api/shop/webhooks/[provider]/+server.ts`. Dispatches to the matching `PaymentAdapter.handleWebhook`, maps payment event to order status, and is idempotent (terminal orders ack 200 no-op — safe against provider retries). 400 on bad signature, 200 on unknown order.
+- Checkout now calls `PaymentAdapter.createPayment()` after the order is created. The response exposes `paymentStatus`, `requiresPaymentRedirect`, `redirectUrl`, and `accessToken` so the frontend can redirect to the gateway and deep-link back to the order view.
+- Orders store `paymentProviderRef` — the external id returned by the payment adapter (e.g. PayU orderId). Used to correlate webhooks and future refunds/status polls.
+- New `payuAdapter()` — OAuth token caching, create order (REST v2.1), MD5 `OpenPayU-Signature` verification on webhooks, full PayU status mapping (including REJECTED and WAITING_FOR_CONFIRMATION). Import from `includio-cms/shop`.
+- `PaymentAdapter.createPayment()` receives an optional `{ customerIp, language }` context, threaded from the SvelteKit request in the built-in checkout handler.
+- Shipping ↔ payment compatibility: `shop_shipping_methods.allowed_payment_methods` (jsonb string[] | null). Null/empty = any payment method allowed; otherwise checkout rejects the order when the chosen payment is not in the list (e.g. disable COD for paczkomat). The shipping-methods API exposes the list so the frontend can filter payment options per shipping choice.
+- Admin: shipping method form now exposes an "allowed payment methods" section with a restrict toggle + multi-select of configured payment adapters. `getShopConfig` remote returns the payment adapter list (id + i18n label).
+- New optional `PaymentAdapter.getStatus(providerRef)` for provider-side polling, plus `createRefreshPaymentHandler()` mounted at `/api/shop/orders/[number]/refresh-payment`. Token-gated (same as order view). Used as a safety net when a webhook is lost — PayU adapter implements it out of the box.
+- Retry payment — `createRetryPaymentHandler()` at `POST /api/shop/orders/[number]/retry-payment`. Reuses the same order, creates a fresh payment session via the adapter, stores the new `paymentProviderRef`. Status `paymentRejected` is rolled back to `awaitingPayment`. Terminal states return 409.
+- Shop SDK: new `orders` namespace on `createShopClient()` — `get(number, token)`, `refreshPayment(number, token)`, `retryPayment(number, token)`. All response types exported from `includio-cms/shop/client`.
+- Headless Svelte 5 helper `createOrderState({ number, token, initialData? })` — reactive state class with `data/loading/error/phase`, `load()`, `refreshPayment()`, `retry()`, `startPolling()/stopPolling()`. Supports SSR via `initialData`.
+- Generic `<OrderStatus />` Svelte component — drop-in order view with awaiting/success/rejected states, auto-polling, retry button, status timeline. Full theming via CSS custom properties and `::part()`. Import from `includio-cms/shop/svelte`.
+- Docs: new section covering the shop module, order view patterns (generic vs headless), and retry lifecycle.
+
+### Migration
+
+```sql
+ALTER TABLE shop_orders ADD COLUMN access_token uuid NOT NULL DEFAULT gen_random_uuid();
+ALTER TABLE shop_orders ADD COLUMN payment_provider_ref text;
+ALTER TABLE shop_shipping_methods ADD COLUMN allowed_payment_methods jsonb;
+```
+
+### Notes
+
+Requires `gen_random_uuid()` (pgcrypto or Postgres 13+). Existing orders get a fresh random token on migration — pre-existing customer links keep working because order view links were not shipped before this version.
+
 ## 0.15.0 — 2026-04-14
 
 Shop module MVP — headless e-commerce: products, cart, orders, payments, emails

package/DOCS.md

@@ -1,4 +1,4 @@
-# Includio CMS Documentation (v0.15.0)
+# Includio CMS Documentation (v0.15.2)
 
 > This file is auto-generated from the docs site. For the latest version, update the package.
 
@@ -4297,6 +4297,236 @@ Options for `create`/`createAndPublish`: `{ skipValidation?, sortOrder?, lang? }
 > **Delete Restrictions:** Only archived entries can be permanently deleted. Call `archive` first, then `delete`.
 
 
+---
+
+# Shop
+
+Headless e-commerce module. Optional — activate by adding `shop: defineShop({...})` to your CMS config.
+
+> Shop is in beta. API may change between 0.15.x patches.
+
+## What you get
+
+- **Products as entries** — add `{ type: 'shop', slug: 'shop' }` to any collection; its entries become purchasable.
+- **Cart** — signed cookie, headless SDK (`createShopClient()`), `POST/PATCH/DELETE /api/shop/cart`.
+- **Checkout + orders** — `POST /api/shop/checkout` creates an order with consent validation, stock reservation (30-min TTL), and status emails.
+- **Payment adapters** — `manualAdapter()` (bank transfer / COD) and `payuAdapter()` ship built-in; plug your own by implementing `PaymentAdapter`.
+- **Webhook infrastructure** — `createPaymentWebhookHandler()` dispatches provider callbacks, verifies signatures, is idempotent.
+- **Secure order view** — per-order `accessToken` + cookie fallback + `GET /api/shop/orders/[number]` token-gated API.
+- **Shipping ↔ payment compatibility** — restrict payment methods per shipping (e.g. no COD for paczkomat).
+
+## Config
+
+```ts
+import { defineShop, manualAdapter, payuAdapter } from 'includio-cms/shop';
+
+export const cmsConfig = defineCMS({
+  shop: defineShop({
+    currency: 'PLN',
+    vatRates: [23, 8, 0],
+    orderViewUrl: `${process.env.PUBLIC_URL}/shop/order/{orderNumber}?token={accessToken}`,
+    payment: [
+      manualAdapter({ id: 'transfer', label: { pl: 'Przelew', en: 'Bank transfer' } }),
+      payuAdapter({
+        posId: process.env.PAYU_POS_ID!,
+        clientId: process.env.PAYU_CLIENT_ID!,
+        clientSecret: process.env.PAYU_CLIENT_SECRET!,
+        secondKey: process.env.PAYU_SECOND_KEY!,
+        environment: 'sandbox',
+        notifyUrl: `${process.env.PUBLIC_URL}/api/shop/webhooks/payu`
+      })
+    ],
+    features: { variants: true, stock: true },
+    consents: [{ id: 'terms', required: true, labelI18n: { pl: 'Akceptuję regulamin', en: 'I accept terms' } }]
+  })
+})
+```
+
+## Routes
+
+Scaffold provisions these endpoints in your app:
+
+| Path | Handler | Purpose |
+|------|---------|---------|
+| `POST /api/shop/cart` | `createCartHandler()` | Cart CRUD |
+| `GET /api/shop/shipping-methods` | `createShippingMethodsHandler()` | List active shipping |
+| `POST /api/shop/checkout` | `createCheckoutHandler()` | Create order + initiate payment |
+| `GET /api/shop/orders/[number]` | `createOrderHandler()` | Token-gated order view |
+| `POST /api/shop/orders/[number]/refresh-payment` | `createRefreshPaymentHandler()` | Pull status from provider |
+| `POST /api/shop/orders/[number]/retry-payment` | `createRetryPaymentHandler()` | New payment attempt |
+| `POST /api/shop/webhooks/[provider]` | `createPaymentWebhookHandler()` | Provider callbacks |
+
+## See also
+
+- [Order view](/docs/shop/order-view) — generic `<OrderStatus>` component + headless helper
+- [Retry payment](/docs/shop/retry-payment) — lifecycle + endpoint
+
+
+---
+
+# Order view
+
+After checkout the customer needs a page that shows their order status, payment outcome, and retry options. Shop offers two paths — a batteries-included component for quick projects, and a headless helper for custom designs.
+
+## 1. Generic component (`<OrderStatus />`)
+
+Drop-in view with three visual states (awaiting payment / success / rejected), auto-polling, retry button, status timeline. Theme through CSS custom properties.
+
+```svelte
+<!-- src/routes/shop/order/[number]/+page.svelte -->
+<OrderStatus {number} {token} />
+```
+
+### Theming
+
+All styling sits on CSS variables — override in your page or app.css:
+
+```css
+.aria-order-status {
+  --shop-bg: #171717;
+  --shop-fg: #f2e9e1;
+  --shop-muted: rgba(242, 233, 225, 0.6);
+  --shop-accent: #f2e9e1;
+  --shop-success: #8fb58c;
+  --shop-error: #c44b4b;
+  --shop-border: rgba(242, 233, 225, 0.15);
+  --shop-radius: 2px;
+  --shop-font-display: 'Syncopate', sans-serif;
+  --shop-font-body: 'Figtree', sans-serif;
+}
+```
+
+Fine-grained overrides via `part="..."` selectors:
+
+```css
+.aria-order-status::part(title) { text-transform: uppercase; }
+.aria-order-status::part(btn-retry) { letter-spacing: 0.08em; }
+```
+
+### Props
+
+| Prop | Type | Notes |
+|------|------|-------|
+| `number` | `string` | Order number (from URL) |
+| `token` | `string?` | Access token from `?token=`; falls back to cookie |
+| `initialData` | `OrderDetailResponse?` | SSR snapshot from `+page.server.ts` |
+| `labels` | `Partial<OrderStatusLabels>` | Override copy (Polish by default) |
+| `autoPoll` | `boolean` | Default `true` — polls every 5s when status is `awaitingPayment` |
+| `onPaid` | `(data) => void` | Fires the first time status becomes `paid` |
+
+### SSR
+
+Fetch on the server for instant render and email-from-SPA support:
+
+```ts
+// +page.server.ts
+import { createShopClient } from 'includio-cms/shop/client';
+import { readOrderTokenCookie } from 'includio-cms/shop/client'; // exposed from shop module
+
+export const load = async ({ params, url, cookies, fetch }) => {
+  const client = createShopClient({ fetch });
+  const token = url.searchParams.get('token') ?? undefined;
+  try {
+    const initialData = await client.orders.get(params.number, token);
+    return { initialData, token };
+  } catch {
+    return { initialData: null, token };
+  }
+};
+```
+
+## 2. Custom UI (headless)
+
+For fully custom designs, use `createOrderState` — a reactive Svelte 5 state object. Build whatever markup you want.
+
+```svelte
+{#if order.loading && !order.data}
+  <p>Ładowanie…</p>
+{:else if order.data}
+  {@const o = order.data.order}
+  <h1>Zamówienie {o.number}</h1>
+  <p>Status: {o.status}</p>
+
+  {#if o.status === 'awaitingPayment' || o.status === 'paymentRejected'}
+    <button onclick={handleRetry} disabled={order.phase === 'retrying'}>
+      Zapłać ponownie
+    </button>
+  {/if}
+{/if}
+```
+
+### State API
+
+- `order.data` — `OrderDetailResponse | null`
+- `order.loading` — initial fetch flag
+- `order.error` — last error (`Error | null`)
+- `order.phase` — `'idle' | 'polling' | 'retrying' | 'refreshing'`
+- `order.status` — shorthand for `data.order.status`
+- `order.load()` — fetch fresh data
+- `order.refreshPayment()` — ask provider for latest (useful if webhook is lost)
+- `order.retry()` — create new payment attempt, returns `redirectUrl | null`
+- `order.startPolling() / stopPolling()` — auto-refresh every 5s (max 2min), stops on terminal status
+- `order.dispose()` — clear timers (call in `onDestroy`)
+
+## Security
+
+- Every order has an `accessToken` (uuid). The view API (`/api/shop/orders/[number]`) requires it in `?token=` or in the `aria_shop_order` cookie (same-browser fallback, 30-min httpOnly).
+- Status emails include the full URL with token — the customer can return from any device.
+- Order numbers are Crockford base32 but token-gating prevents enumeration regardless.
+
+
+---
+
+# Retry payment
+
+When a payment attempt is rejected or left hanging, the customer must be able to try again without going through checkout a second time.
+
+## Lifecycle
+
+1. Customer completes checkout → order created with status `awaitingPayment`, adapter creates a payment session, `paymentProviderRef` stored.
+2. Something goes wrong — customer cancels on gateway, card declined, session expires → webhook flips status to `paymentRejected` (or stays `awaitingPayment` if the gateway never called back).
+3. Customer hits "Zapłać ponownie" on the order view.
+4. `POST /api/shop/orders/[number]/retry-payment?token=...` →
+   - token-gated, status must be `awaitingPayment` or `paymentRejected` (409 otherwise)
+   - adapter's `createPayment()` is called again with the same `OrderRef`
+   - new `paymentProviderRef` replaces the old one
+   - if coming from `paymentRejected`, status rolls back to `awaitingPayment` (logged in status history as `changedBy: 'retry-payment'`)
+   - response contains `redirectUrl` for the new gateway session
+
+## SDK
+
+```ts
+import { createShopClient } from 'includio-cms/shop/client';
+
+const client = createShopClient();
+const result = await client.orders.retryPayment(orderNumber, token);
+
+if (result.requiresPaymentRedirect && result.redirectUrl) {
+  window.location.href = result.redirectUrl;
+}
+```
+
+## With `createOrderState`
+
+The headless helper handles the redirect for you — it returns the URL, you navigate:
+
+```ts
+const url = await order.retry();
+if (url) window.location.href = url;
+```
+
+## Constraints
+
+- The same order is reused — numbers, tokens, items, totals stay the same.
+- Terminal statuses (`paid`, `done`, `cancelled`) block retry with **409**.
+- Orders without a payment method or whose adapter was removed from config return **400**.
+- Adapter errors bubble up as **502**.
+
+## Admin override
+
+If the customer is completely stuck, the admin can manually move the order to `paid` / `cancelled` from the orders detail page — same as before, status-change emails trigger automatically.
+
+
 ---
 
 # Migration Guide

package/ROADMAP.md

@@ -303,9 +303,14 @@
 - [x] `[feature]` `[P0]` Admin orders view — list (status + email filter), detail (items, history, customer/address/consents, change status, resend email)
 - [x] `[feature]` `[P0]` Random Crockford base32 order numbers (`XXXXX-XXXXX`), unguessable
 - [x] `[feature]` `[P0]` CLI scaffold provisions all shop routes (admin + public API) in consumer app
-- [ ] `[feature]` `[P1]` Stripe payment adapter + webhook — deferred to 0.15.1
-- [ ] `[feature]` `[P1]` PayU payment adapter + webhook — deferred to 0.15.2
+- [x] `[feature]` `[P1]` PayU payment adapter + webhook — shipped in 0.15.1 (access-token-gated order view, idempotent webhooks, MD5 signature, shipping↔payment compat, poll fallback)
+- [ ] `[feature]` `[P1]` Stripe payment adapter + webhook — deferred to 0.15.3
 - [ ] `[feature]` `[P2]` InPost carrier adapter (headless geowidget config) — deferred to 0.15.3
+
+## 0.15.2 — Price precision fix
+
+- [x] `[fix]` `[P1]` Price drift on reload — storage jako `numeric(20,6)` (PLN z 6dp), brutto round-tripuje bez utraty ±1gr. Snapshot zamówienia dalej w groszach (KSeF). <!-- files: src/lib/db-postgres/schema/shop/product.ts, productVariant.ts, shippingMethod.ts, src/lib/shop/pricing.ts, src/lib/shop/server/cart-hydrate.ts, shipping.ts, shop-data.ts, src/lib/admin/components/fields/shop-field.svelte, src/lib/admin/client/shop/shipping-method-form.svelte -->
+- [x] `[feature]` `[P2]` Variant price toggle netto/brutto (spójne z toggle\'em ceny bazowej)
 - [x] `[feature]` `[P2]` `nodemailerAdapter` — typowanie `transportOptions` jako `SMTPTransport.Options` (OAuth2, pool, itd.)
 
 ## 0.16.0 — SEO module

package/dist/admin/client/shop/shipping-method-edit-page.svelte

@@ -104,6 +104,7 @@
 		<ShippingMethodForm
 			languages={configQuery.current.languages}
 			vatRates={configQuery.current.vatRates}
+			paymentMethods={configQuery.current.paymentMethods}
 			initial={methodQuery.current}
 			{saving}
 			{errorMessage}

package/dist/admin/client/shop/shipping-method-form.svelte

@@ -3,23 +3,29 @@
 	import { Switch } from '../../../components/ui/switch/index.js';
 
 	type CarrierType = 'none' | 'inpost';
+	export interface PaymentMethodOption {
+		id: string;
+		label: Record<string, string>;
+	}
 	export interface ShippingFormPayload {
 		name: Record<string, string>;
 		description: Record<string, string> | null;
-		price: number;
+		price: number; // PLN (number, netto)
 		vatRate: number;
 		carrierType: CarrierType;
-		conditions: { freeAbove?: number } | null;
+		conditions: { freeAbove?: number } | null; // freeAbove: grosze
+		allowedPaymentMethods: string[] | null;
 		isActive: boolean;
 		sortOrder: number | null;
 	}
 	export interface ShippingFormInitial {
 		name?: Record<string, string> | unknown;
 		description?: Record<string, string> | unknown | null;
-		price?: number;
+		price?: number | string;
 		vatRate?: number;
 		carrierType?: string;
 		conditions?: { freeAbove?: number } | null;
+		allowedPaymentMethods?: string[] | null;
 		isActive?: boolean;
 		sortOrder?: number | null;
 	}
@@ -27,6 +33,7 @@
 	interface Props {
 		languages: string[];
 		vatRates: number[];
+		paymentMethods?: PaymentMethodOption[];
 		initial?: ShippingFormInitial | null;
 		saving?: boolean;
 		errorMessage?: string | null;
@@ -37,6 +44,7 @@
 	const {
 		languages,
 		vatRates,
+		paymentMethods = [],
 		initial = null,
 		saving = false,
 		errorMessage = null,
@@ -61,32 +69,55 @@
 		)
 	);
 	type InputMode = 'net' | 'gross';
-	let inputMode = $state<InputMode>(initial?.price != null ? 'net' : 'gross');
-	let inputPrice = $state(initial?.price != null ? (initial.price / 100).toFixed(2) : '0.00');
+	// initial.price — teraz PLN (number, netto) z API. Hydratujemy jako gross, żeby user widział dokładnie to co wpisał.
+	const initialNetPln = initial?.price != null ? Number(initial.price) : null;
+	const initialVat = Number(initial?.vatRate ?? vatRates[0] ?? 23);
+	let inputMode = $state<InputMode>(initialNetPln != null ? 'gross' : 'gross');
+	let inputPrice = $state(
+		initialNetPln != null
+			? (initialNetPln * (1 + initialVat / 100)).toFixed(2)
+			: '0.00'
+	);
 	let vatRate = $state<number | string>(initial?.vatRate ?? vatRates[0] ?? 23);
 
-	const inputPriceCents = $derived(Math.round(parseFloat(inputPrice || '0') * 100));
+	const inputPln = $derived(parseFloat(inputPrice || '0') || 0);
 	const vat = $derived(Number(vatRate) || 0);
-	const netCents = $derived(
-		inputMode === 'net' ? inputPriceCents : Math.round(inputPriceCents / (1 + vat / 100))
-	);
-	const grossCents = $derived(
-		inputMode === 'gross' ? inputPriceCents : Math.round(inputPriceCents * (1 + vat / 100))
-	);
-	const vatCents = $derived(grossCents - netCents);
+	const netPln = $derived(inputMode === 'net' ? inputPln : inputPln / (1 + vat / 100));
+	const grossPln = $derived(inputMode === 'gross' ? inputPln : inputPln * (1 + vat / 100));
+	const vatPln = $derived(grossPln - netPln);
 
-	function formatCents(cents: number) {
-		return (cents / 100).toFixed(2);
+	function formatPln(pln: number) {
+		return pln.toFixed(2);
 	}
 
 	function switchMode(newMode: InputMode) {
 		if (newMode === inputMode) return;
-		const preservedCents = newMode === 'net' ? netCents : grossCents;
+		const preserved = newMode === 'net' ? netPln : grossPln;
 		inputMode = newMode;
-		inputPrice = formatCents(preservedCents);
+		inputPrice = formatPln(preserved);
 	}
 	let carrierType = $state<CarrierType>((initial?.carrierType as CarrierType) ?? 'none');
 	let isActive = $state(initial?.isActive ?? true);
+	// null/undefined = no restriction (all allowed); otherwise a whitelist.
+	let restrictPayments = $state(
+		Array.isArray(initial?.allowedPaymentMethods) && (initial?.allowedPaymentMethods?.length ?? 0) > 0
+	);
+	let allowedPaymentIds = $state<string[]>(
+		Array.isArray(initial?.allowedPaymentMethods) ? [...(initial?.allowedPaymentMethods ?? [])] : []
+	);
+
+	function togglePaymentMethod(id: string, checked: boolean) {
+		if (checked) {
+			if (!allowedPaymentIds.includes(id)) allowedPaymentIds = [...allowedPaymentIds, id];
+		} else {
+			allowedPaymentIds = allowedPaymentIds.filter((x) => x !== id);
+		}
+	}
+
+	function paymentLabel(p: PaymentMethodOption): string {
+		const first = languages[0] ?? 'pl';
+		return p.label[first] ?? Object.values(p.label)[0] ?? p.id;
+	}
 	let freeAboveEnabled = $state(initial?.conditions?.freeAbove != null);
 	let freeAbove = $state(
 		initial?.conditions?.freeAbove != null
@@ -98,12 +129,13 @@
 		await onsubmit({
 			name: names,
 			description: Object.values(descriptions).some((d) => d.length > 0) ? descriptions : null,
-			price: netCents,
+			price: netPln,
 			vatRate: Number(vatRate),
 			carrierType,
 			conditions: freeAboveEnabled
 				? { freeAbove: Math.round(parseFloat(freeAbove || '0') * 100) }
 				: null,
+			allowedPaymentMethods: restrictPayments ? allowedPaymentIds : null,
 			isActive,
 			sortOrder: initial?.sortOrder ?? null
 		});
@@ -197,15 +229,15 @@
 		<div class="bg-muted/40 border-border grid grid-cols-3 gap-2 rounded-lg border p-2.5 text-center text-xs">
 			<div>
 				<div class="text-muted-foreground font-semibold uppercase tracking-wide">Netto</div>
-				<div class="text-sm font-bold tabular-nums">{formatCents(netCents)} zł</div>
+				<div class="text-sm font-bold tabular-nums">{formatPln(netPln)} zł</div>
 			</div>
 			<div class="border-border border-x">
 				<div class="text-muted-foreground font-semibold uppercase tracking-wide">VAT</div>
-				<div class="text-sm font-bold tabular-nums">{formatCents(vatCents)} zł</div>
+				<div class="text-sm font-bold tabular-nums">{formatPln(vatPln)} zł</div>
 			</div>
 			<div>
 				<div class="text-muted-foreground font-semibold uppercase tracking-wide">Brutto</div>
-				<div class="text-primary text-sm font-bold tabular-nums">{formatCents(grossCents)} zł</div>
+				<div class="text-primary text-sm font-bold tabular-nums">{formatPln(grossPln)} zł</div>
 			</div>
 		</div>
 		<label class="flex items-center gap-2">
@@ -226,6 +258,42 @@
 		{/if}
 	</section>
 
+	{#if paymentMethods.length > 0}
+		<section class="border-border bg-card space-y-4 rounded-xl border p-6">
+			<h2 class="text-lg font-bold">Dozwolone metody płatności</h2>
+			<p class="text-muted-foreground text-sm">
+				Ogranicz metody płatności dla tej dostawy (np. wyłącz płatność za pobraniem dla
+				paczkomatu). Jeśli wyłączone — wszystkie skonfigurowane metody są dostępne.
+			</p>
+			<label class="flex items-center gap-2">
+				<Switch bind:checked={restrictPayments} />
+				<span class="text-sm">Ogranicz metody płatności</span>
+			</label>
+			{#if restrictPayments}
+				<div class="space-y-2 pl-2">
+					{#each paymentMethods as p (p.id)}
+						<label class="flex items-center gap-2">
+							<input
+								type="checkbox"
+								checked={allowedPaymentIds.includes(p.id)}
+								onchange={(e) =>
+									togglePaymentMethod(p.id, (e.currentTarget as HTMLInputElement).checked)}
+							/>
+							<span class="text-sm">{paymentLabel(p)}</span>
+							<span class="text-muted-foreground text-xs">({p.id})</span>
+						</label>
+					{/each}
+					{#if allowedPaymentIds.length === 0}
+						<p class="text-xs text-amber-700">
+							Wybierz co najmniej jedną metodę, inaczej checkout dla tej dostawy będzie
+							zablokowany.
+						</p>
+					{/if}
+				</div>
+			{/if}
+		</section>
+	{/if}
+
 	<section class="border-border bg-card space-y-4 rounded-xl border p-6">
 		<h2 class="text-lg font-bold">Przewoźnik</h2>
 		<label class="block">

package/dist/admin/client/shop/shipping-method-form.svelte.d.ts

@@ -1,4 +1,8 @@
 type CarrierType = 'none' | 'inpost';
+export interface PaymentMethodOption {
+    id: string;
+    label: Record<string, string>;
+}
 export interface ShippingFormPayload {
     name: Record<string, string>;
     description: Record<string, string> | null;
@@ -8,24 +12,27 @@ export interface ShippingFormPayload {
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
     isActive: boolean;
     sortOrder: number | null;
 }
 export interface ShippingFormInitial {
     name?: Record<string, string> | unknown;
     description?: Record<string, string> | unknown | null;
-    price?: number;
+    price?: number | string;
     vatRate?: number;
     carrierType?: string;
     conditions?: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods?: string[] | null;
     isActive?: boolean;
     sortOrder?: number | null;
 }
 interface Props {
     languages: string[];
     vatRates: number[];
+    paymentMethods?: PaymentMethodOption[];
     initial?: ShippingFormInitial | null;
     saving?: boolean;
     errorMessage?: string | null;

package/dist/admin/client/shop/shipping-method-new-page.svelte

@@ -39,6 +39,7 @@
 		<ShippingMethodForm
 			languages={configQuery.current.languages}
 			vatRates={configQuery.current.vatRates}
+			paymentMethods={configQuery.current.paymentMethods}
 			{saving}
 			{errorMessage}
 			onsubmit={handleSubmit}

package/dist/admin/client/shop/shipping-methods-list-page.svelte

@@ -35,12 +35,15 @@
 		}
 	});
 
-	function formatPrice(smallest: number) {
+	function formatPricePln(pln: number) {
 		return new Intl.NumberFormat('pl-PL', {
 			style: 'currency',
 			currency: 'PLN',
 			minimumFractionDigits: 2
-		}).format(smallest / 100);
+		}).format(pln);
+	}
+	function formatPriceCents(cents: number) {
+		return formatPricePln(cents / 100);
 	}
 
 	async function doReorder(fromIndex: number, toIndex: number) {
@@ -143,11 +146,11 @@
 								{resolveI18n(m.name as Record<string, string>, interfaceLanguage.current, '')}
 							</a>
 						</div>
-						<div>{formatPrice(m.price)}</div>
+						<div>{formatPricePln(Number(m.price))}</div>
 						<div>{m.vatRate}%</div>
 						<div>
 							{#if cond?.freeAbove != null}
-								{formatPrice(cond.freeAbove)}
+								{formatPriceCents(cond.freeAbove)}
 							{:else}
 								<span class="text-muted-foreground text-xs">—</span>
 							{/if}

package/dist/admin/client/shop/shop-products-list-page.svelte

@@ -13,12 +13,12 @@
 	const entriesQuery = $derived(remotes.listShopProductEntries());
 	const collectionsQuery = $derived(remotes.listShopableCollections());
 
-	function formatPrice(smallest: number) {
+	function formatPrice(pln: number) {
 		return new Intl.NumberFormat('pl-PL', {
 			style: 'currency',
 			currency: 'PLN',
 			minimumFractionDigits: 2
-		}).format(smallest / 100);
+		}).format(pln);
 	}
 
 	function resolveTitle(data: Record<string, unknown> | null, fallback: string): string {