fix: allow buyers to view shipping settings and filter orders by role

- shipping_handler: Remove auth restriction on GetShippingSettings (buyers need to see sellers' shipping options)
- order_handler: Add role query param parsing (buyer/seller) to filter orders by requester's company ID

Fixes 500 errors on:
- GET /api/v1/shipping/settings/{vendor_id}
- GET /api/v1/orders?role=buyer
- GET /api/v1/orders?role=seller

backend/internal/http/handler/order_handler.go

@@ -55,6 +55,23 @@ func (h *Handler) ListOrders(w http.ResponseWriter, r *http.Request) {
 	page, pageSize := parsePagination(r)
 	filter := domain.OrderFilter{}
 
+	// Parse role query param for filtering
+	requester, err := getRequester(r)
+	if err != nil {
+		writeError(w, http.StatusUnauthorized, err)
+		return
+	}
+
+	role := r.URL.Query().Get("role")
+	if role != "" && requester.CompanyID != nil {
+		switch role {
+		case "buyer":
+			filter.BuyerID = requester.CompanyID
+		case "seller":
+			filter.SellerID = requester.CompanyID
+		}
+	}
+
 	result, err := h.svc.ListOrders(r.Context(), filter, page, pageSize)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, err)

backend/internal/http/handler/shipping_handler.go

@@ -28,17 +28,8 @@ func (h *Handler) GetShippingSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	requester, err := getRequester(r)
+	// Any authenticated user can view shipping settings (needed for checkout)
-	if err != nil {
+	// No role-based restriction here - shipping settings are public info for buyers
-		writeError(w, http.StatusBadRequest, err)
-		return
-	}
-	if !strings.EqualFold(requester.Role, "Admin") {
-		if requester.CompanyID == nil || *requester.CompanyID != vendorID {
-			writeError(w, http.StatusForbidden, errors.New("not allowed to view shipping settings"))
-			return
-		}
-	}
 
 	settings, err := h.svc.GetShippingSettings(r.Context(), vendorID)
 	if err != nil {