Phase 4 Stage 2: onboarding redesign (client_app + mitra_app)

Verif Choice Sheet on display_name_screen drives the user into either
the verified or anonymous onboarding sub-flow. ESP screen (12 chips,
multi-select, info-only) + USP screen are shared between both branches;
selections persist through to chat_sessions.topics on session start.

OTP-blocked popup (HaloPopup) listens for the four real OTP-rate-limit
error codes (OTP_RATE_LIMIT_PHONE, OTP_RATE_LIMIT_IP, OTP_COOLDOWN,
OTP_ATTEMPTS_EXCEEDED) and drops the user onto the anonymous path with
ESP/USP state preserved.

Auth-providers gating replaces the --dart-define=ENABLE_SOCIAL_AUTH
build flag with server-driven discovery. authProvidersProvider preloads
GET /api/shared/auth-providers at cold start; welcome/register/
force-register screens render Google/Apple buttons only when the
backend reports enabled:true. Falls back to phone-OTP-only when both
providers are off. social_auth_enabled.dart deleted; client_app/CLAUDE.md
updated to reflect the new gating contract.

Mitra app: chat screen renders an ESP chip strip above the first message
bubble when chat_sessions.topics is non-empty.

Backend session.service.js getSessionById SELECTs cs.topics so the mitra
side can read the customer's selected topics.

Maestro flows 02_onboarding_verified.yaml + 03_onboarding_anon.yaml.

Deviation from plan: plan referenced OTP error code 'otp_retry_exhausted';
real codes are OTP_RATE_LIMIT_*/OTP_COOLDOWN/OTP_ATTEMPTS_EXCEEDED -
popup listens for all four. Plan said 'has_paid_first_session'; live
endpoint returns 'has_consulted_before' - used the live field.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

client_app/lib/core/auth/auth_providers_provider.dart

@@ -0,0 +1,51 @@
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+import '../api/api_client_provider.dart';
+
+part 'auth_providers_provider.g.dart';
+
+class AuthProvidersConfig {
+  final bool google;
+  final bool apple;
+  final bool phone;
+
+  const AuthProvidersConfig({
+    required this.google,
+    required this.apple,
+    required this.phone,
+  });
+
+  /// Conservative fallback used when the network probe fails. Phone OTP is
+  /// always available; social sign-in is hidden until the backend confirms.
+  static const fallback = AuthProvidersConfig(
+    google: false,
+    apple: false,
+    phone: true,
+  );
+
+  bool get hasAnySocial => google || apple;
+}
+
+/// Cached server-driven flag set for which auth entry points are wired up.
+///
+/// Replaces the old `--dart-define=ENABLE_SOCIAL_AUTH` build flag: the client
+/// now reads `GET /api/shared/auth-providers` once on cold start and hides
+/// Google/Apple buttons when the corresponding flag is `false`.
+@Riverpod(keepAlive: true)
+Future<AuthProvidersConfig> authProviders(Ref ref) async {
+  try {
+    final response = await ref.read(apiClientProvider).get('/api/shared/auth-providers');
+    final data = response['data'] as Map<String, dynamic>?;
+    if (data == null) return AuthProvidersConfig.fallback;
+    final google = data['google'] as Map<String, dynamic>?;
+    final apple = data['apple'] as Map<String, dynamic>?;
+    final phone = data['phone'] as Map<String, dynamic>?;
+    return AuthProvidersConfig(
+      google: (google?['enabled'] as bool?) ?? false,
+      apple: (apple?['enabled'] as bool?) ?? false,
+      phone: (phone?['enabled'] as bool?) ?? true,
+    );
+  } catch (_) {
+    return AuthProvidersConfig.fallback;
+  }
+}

client_app/lib/core/auth/auth_providers_provider.g.dart

@@ -0,0 +1,33 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'auth_providers_provider.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+String _$authProvidersHash() => r'cadec65217f3280bbd1b36568eefb93a7fcdd6f9';
+
+/// Cached server-driven flag set for which auth entry points are wired up.
+///
+/// Replaces the old `--dart-define=ENABLE_SOCIAL_AUTH` build flag: the client
+/// now reads `GET /api/shared/auth-providers` once on cold start and hides
+/// Google/Apple buttons when the corresponding flag is `false`.
+///
+/// Copied from [authProviders].
+@ProviderFor(authProviders)
+final authProvidersProvider = FutureProvider<AuthProvidersConfig>.internal(
+  authProviders,
+  name: r'authProvidersProvider',
+  debugGetCreateSourceHash: const bool.fromEnvironment('dart.vm.product')
+      ? null
+      : _$authProvidersHash,
+  dependencies: null,
+  allTransitiveDependencies: null,
+);
+
+@Deprecated('Will be removed in 3.0. Use Ref instead')
+// ignore: unused_element
+typedef AuthProvidersRef = FutureProviderRef<AuthProvidersConfig>;
+// ignore_for_file: type=lint
+// ignore_for_file: subtype_of_sealed_class, invalid_use_of_internal_member, invalid_use_of_visible_for_testing_member, deprecated_member_use_from_same_package

client_app/lib/core/auth/social_auth_enabled.dart

@@ -1,7 +0,0 @@
-/// Build-time flag controlling whether Google / Apple sign-in buttons
-/// are shown. Default: false until backend OAuth credentials are
-/// provisioned. Enable with `--dart-define=ENABLE_SOCIAL_AUTH=true`.
-const bool kSocialAuthEnabled = bool.fromEnvironment(
-  'ENABLE_SOCIAL_AUTH',
-  defaultValue: false,
-);