Phase 5.x payment revamp + Xendit Stage-8 prep

- Backend wraps idn-finlogos npm at /assets/payment-icons/<slug>.svg with
  1y immutable cache. Mobile drops bundled SVGs (only placeholder remains)
  and fetches via flutter_cache_manager. payment_methods.icon is now a
  CSV of slugs; catalog emits icon_urls[]. CARDS tile renders Visa + MC +
  JCB side by side.
- Per-method min/max amount bounds (BIGINT, nullable). Picker greys out
  out-of-range tiles with subtitle; backend gates with INVALID_PAYMENT_AMOUNT
  (422). Defense in depth against stale-catalog clients.
- Xendit channel codes corrected from authoritative docs
  (BCA_VA -> BCA_VIRTUAL_ACCOUNT, CREDIT_CARD -> CARDS, ovo -> ovo-new,
  shopeepay -> shopee-pay, ...). 18 methods x 5 groups seeded with
  Xendit-published per-channel min/max.
- Re-runnable seed (ON CONFLICT DO NOTHING on payment_code + new unique
  index on group name). Operator CC edits never clobbered across re-runs.
  One-shot reset + inspect scripts under backend/.dev/.
- Customer redirect HTML pages at /payment/return/{success,failure},
  brand-styled with "Buka HaloBestie" CTA firing halobestie:// deeplink.
  URL scheme registered on Android (intent-filter w/ BROWSABLE on
  MainActivity) and iOS (CFBundleURLTypes). Waiting-payment poller still
  owns confirmation; deeplink just brings the activity to foreground.
- Control center payment-catalog page: min/max inputs + columns. Other
  CC pages restyled with new theme tokens (separate work, bundled here).

169/169 backend tests pass. See requirement/phase5-payment-revamp-2026-05-27.md
for the full revamp doc. Stage 8 (E2E) still pending: webhook URL routing
decision + two client_app follow-ups (legacy /chat/request removal,
extension Custom Tab).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/routes/public/shared.payment-icons.routes.js

@@ -0,0 +1,40 @@
+/**
+ * Public payment-icon serving — Phase 5.x.
+ *
+ * GET /assets/payment-icons/:slug.svg
+ *   Returns the idn-finlogos SVG for `slug` with a 1-year immutable cache
+ *   header. Content is stable per backend deploy (icons change only when the
+ *   `idn-finlogos` npm dep is bumped); clients can cache aggressively.
+ *
+ * Public on purpose — these are brand-mark icons, not sensitive data. The
+ * catalog endpoint (`GET /api/client/payment-methods`) is still authenticated;
+ * leaking the icon URL by itself reveals nothing useful.
+ *
+ * 404 on unknown slug. We deliberately do NOT 200-with-placeholder here —
+ * upstream owns the "show placeholder" fallback, and 404ing tells operators
+ * about typo'd slugs in the CC payment-method form.
+ */
+
+import { createReadStream } from 'fs'
+import { hasIconSlug, resolveIconPath } from '../../services/payment-icon.service.js'
+
+const SLUG_RE = /^[a-z0-9][a-z0-9-]{0,63}$/
+
+export const paymentIconRoutes = async (app) => {
+  app.get('/payment-icons/:slug.svg', async (request, reply) => {
+    const { slug } = request.params
+
+    // Guard against path-traversal / oversized slug before touching the FS.
+    if (!SLUG_RE.test(slug) || !hasIconSlug(slug)) {
+      return reply.code(404).send({
+        success: false,
+        error: { code: 'NOT_FOUND', message: 'Unknown payment icon slug' },
+      })
+    }
+
+    return reply
+      .type('image/svg+xml')
+      .header('Cache-Control', 'public, max-age=31536000, immutable')
+      .send(createReadStream(resolveIconPath(slug)))
+  })
+}