Phase 5.x payment revamp + Xendit Stage-8 prep

- Backend wraps idn-finlogos npm at /assets/payment-icons/<slug>.svg with
  1y immutable cache. Mobile drops bundled SVGs (only placeholder remains)
  and fetches via flutter_cache_manager. payment_methods.icon is now a
  CSV of slugs; catalog emits icon_urls[]. CARDS tile renders Visa + MC +
  JCB side by side.
- Per-method min/max amount bounds (BIGINT, nullable). Picker greys out
  out-of-range tiles with subtitle; backend gates with INVALID_PAYMENT_AMOUNT
  (422). Defense in depth against stale-catalog clients.
- Xendit channel codes corrected from authoritative docs
  (BCA_VA -> BCA_VIRTUAL_ACCOUNT, CREDIT_CARD -> CARDS, ovo -> ovo-new,
  shopeepay -> shopee-pay, ...). 18 methods x 5 groups seeded with
  Xendit-published per-channel min/max.
- Re-runnable seed (ON CONFLICT DO NOTHING on payment_code + new unique
  index on group name). Operator CC edits never clobbered across re-runs.
  One-shot reset + inspect scripts under backend/.dev/.
- Customer redirect HTML pages at /payment/return/{success,failure},
  brand-styled with "Buka HaloBestie" CTA firing halobestie:// deeplink.
  URL scheme registered on Android (intent-filter w/ BROWSABLE on
  MainActivity) and iOS (CFBundleURLTypes). Waiting-payment poller still
  owns confirmation; deeplink just brings the activity to foreground.
- Control center payment-catalog page: min/max inputs + columns. Other
  CC pages restyled with new theme tokens (separate work, bundled here).

169/169 backend tests pass. See requirement/phase5-payment-revamp-2026-05-27.md
for the full revamp doc. Stage 8 (E2E) still pending: webhook URL routing
decision + two client_app follow-ups (legacy /chat/request removal,
extension Custom Tab).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/routes/client.payment.routes.test.js

@@ -123,6 +123,65 @@ describe('POST /api/client/payment-requests', () => {
     expect(confirmed.confirmed_at).toBeTruthy()
   })
 
+  it('rejects with INVALID_PAYMENT_AMOUNT when amount falls below the method min', async () => {
+    // Seed a low-min method and price the request below it.
+    const sql = db()
+    const [g] = await sql`
+      INSERT INTO payment_method_groups (name, display_order, is_active)
+      VALUES ('TestGroup-min', 99, true) RETURNING id
+    `
+    await sql`
+      INSERT INTO payment_methods (group_id, display_name, payment_code, display_order,
+                                   icon, min_amount, max_amount, is_active)
+      VALUES (${g.id}, 'TestVA', 'TEST_VA', 0, null, 50000, null, true)
+    `
+    // Bust the catalog cache so the new method is visible.
+    const { invalidatePaymentCatalog } = await import('../../src/services/payment-catalog.service.js')
+    await invalidatePaymentCatalog()
+
+    // Eligible discount path puts the price at 2000 — well below TEST_VA's 50000 min.
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/client/payment-requests',
+      headers: authHeader(token),
+      payload: { duration_minutes: 12, method: 'TEST_VA' },
+    })
+
+    expect(res.statusCode).toBe(422)
+    const body = res.json()
+    expect(body.error.code).toBe('INVALID_PAYMENT_AMOUNT')
+    expect(body.error.details.min_amount).toBe(50000)
+    expect(body.error.details.amount).toBe(2000)
+  })
+
+  it('rejects with INVALID_PAYMENT_AMOUNT when amount exceeds the method max', async () => {
+    const sql = db()
+    const [g] = await sql`
+      INSERT INTO payment_method_groups (name, display_order, is_active)
+      VALUES ('TestGroup-max', 99, true) RETURNING id
+    `
+    await sql`
+      INSERT INTO payment_methods (group_id, display_name, payment_code, display_order,
+                                   icon, min_amount, max_amount, is_active)
+      VALUES (${g.id}, 'TestWallet', 'TEST_W', 0, null, null, 1000, true)
+    `
+    const { invalidatePaymentCatalog } = await import('../../src/services/payment-catalog.service.js')
+    await invalidatePaymentCatalog()
+
+    // Discounted 12-min = 2000 IDR, above the 1000 max.
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/client/payment-requests',
+      headers: authHeader(token),
+      payload: { duration_minutes: 12, method: 'TEST_W' },
+    })
+
+    expect(res.statusCode).toBe(422)
+    const body = res.json()
+    expect(body.error.code).toBe('INVALID_PAYMENT_AMOUNT')
+    expect(body.error.details.max_amount).toBe(1000)
+  })
+
   it('call-mode payment session uses the call tier price group', async () => {
     // 20-minute call tier in Phase 4 = 17000 IDR.
     const res = await app.inject({

backend/test/routes/shared.payment-icons.routes.test.js

@@ -0,0 +1,59 @@
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest'
+
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(async () => {}),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => false),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { buildPublic } = await import('../helpers/server.js')
+
+describe('GET /assets/payment-icons/:slug.svg', () => {
+  let app
+
+  beforeAll(async () => {
+    app = await buildPublic()
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('serves a known idn-finlogos slug with svg content-type and immutable cache', async () => {
+    // 'qris' is one of our seeded slugs and is shipped by idn-finlogos.
+    const res = await app.inject({ method: 'GET', url: '/assets/payment-icons/qris.svg' })
+    expect(res.statusCode).toBe(200)
+    expect(res.headers['content-type']).toBe('image/svg+xml')
+    expect(res.headers['cache-control']).toBe('public, max-age=31536000, immutable')
+    expect(res.body).toMatch(/^<\?xml|^<svg/)
+  })
+
+  it('404s on an unknown slug', async () => {
+    const res = await app.inject({
+      method: 'GET',
+      url: '/assets/payment-icons/definitely-not-a-real-bank.svg',
+    })
+    expect(res.statusCode).toBe(404)
+    const body = JSON.parse(res.body)
+    expect(body.error.code).toBe('NOT_FOUND')
+  })
+
+  it('404s on slug with path-traversal characters', async () => {
+    // Fastify normalises `..` in the URL, so this resolves to the parent
+    // route; we still expect a 404 (no SVG matches) — but the SLUG_RE guard
+    // is what would catch an unencoded attempt if a router ever let one
+    // through, so we cover its negative case here.
+    const res = await app.inject({
+      method: 'GET',
+      url: '/assets/payment-icons/UPPER.svg',
+    })
+    expect(res.statusCode).toBe(404)
+  })
+})