Phase 5.x payment revamp + Xendit Stage-8 prep

- Backend wraps idn-finlogos npm at /assets/payment-icons/<slug>.svg with
  1y immutable cache. Mobile drops bundled SVGs (only placeholder remains)
  and fetches via flutter_cache_manager. payment_methods.icon is now a
  CSV of slugs; catalog emits icon_urls[]. CARDS tile renders Visa + MC +
  JCB side by side.
- Per-method min/max amount bounds (BIGINT, nullable). Picker greys out
  out-of-range tiles with subtitle; backend gates with INVALID_PAYMENT_AMOUNT
  (422). Defense in depth against stale-catalog clients.
- Xendit channel codes corrected from authoritative docs
  (BCA_VA -> BCA_VIRTUAL_ACCOUNT, CREDIT_CARD -> CARDS, ovo -> ovo-new,
  shopeepay -> shopee-pay, ...). 18 methods x 5 groups seeded with
  Xendit-published per-channel min/max.
- Re-runnable seed (ON CONFLICT DO NOTHING on payment_code + new unique
  index on group name). Operator CC edits never clobbered across re-runs.
  One-shot reset + inspect scripts under backend/.dev/.
- Customer redirect HTML pages at /payment/return/{success,failure},
  brand-styled with "Buka HaloBestie" CTA firing halobestie:// deeplink.
  URL scheme registered on Android (intent-filter w/ BROWSABLE on
  MainActivity) and iOS (CFBundleURLTypes). Waiting-payment poller still
  owns confirmation; deeplink just brings the activity to foreground.
- Control center payment-catalog page: min/max inputs + columns. Other
  CC pages restyled with new theme tokens (separate work, bundled here).

169/169 backend tests pass. See requirement/phase5-payment-revamp-2026-05-27.md
for the full revamp doc. Stage 8 (E2E) still pending: webhook URL routing
decision + two client_app follow-ups (legacy /chat/request removal,
extension Custom Tab).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/routes/client.payment.routes.test.js

@@ -123,6 +123,65 @@ describe('POST /api/client/payment-requests', () => {
     expect(confirmed.confirmed_at).toBeTruthy()
   })
 
+  it('rejects with INVALID_PAYMENT_AMOUNT when amount falls below the method min', async () => {
+    // Seed a low-min method and price the request below it.
+    const sql = db()
+    const [g] = await sql`
+      INSERT INTO payment_method_groups (name, display_order, is_active)
+      VALUES ('TestGroup-min', 99, true) RETURNING id
+    `
+    await sql`
+      INSERT INTO payment_methods (group_id, display_name, payment_code, display_order,
+                                   icon, min_amount, max_amount, is_active)
+      VALUES (${g.id}, 'TestVA', 'TEST_VA', 0, null, 50000, null, true)
+    `
+    // Bust the catalog cache so the new method is visible.
+    const { invalidatePaymentCatalog } = await import('../../src/services/payment-catalog.service.js')
+    await invalidatePaymentCatalog()
+
+    // Eligible discount path puts the price at 2000 — well below TEST_VA's 50000 min.
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/client/payment-requests',
+      headers: authHeader(token),
+      payload: { duration_minutes: 12, method: 'TEST_VA' },
+    })
+
+    expect(res.statusCode).toBe(422)
+    const body = res.json()
+    expect(body.error.code).toBe('INVALID_PAYMENT_AMOUNT')
+    expect(body.error.details.min_amount).toBe(50000)
+    expect(body.error.details.amount).toBe(2000)
+  })
+
+  it('rejects with INVALID_PAYMENT_AMOUNT when amount exceeds the method max', async () => {
+    const sql = db()
+    const [g] = await sql`
+      INSERT INTO payment_method_groups (name, display_order, is_active)
+      VALUES ('TestGroup-max', 99, true) RETURNING id
+    `
+    await sql`
+      INSERT INTO payment_methods (group_id, display_name, payment_code, display_order,
+                                   icon, min_amount, max_amount, is_active)
+      VALUES (${g.id}, 'TestWallet', 'TEST_W', 0, null, null, 1000, true)
+    `
+    const { invalidatePaymentCatalog } = await import('../../src/services/payment-catalog.service.js')
+    await invalidatePaymentCatalog()
+
+    // Discounted 12-min = 2000 IDR, above the 1000 max.
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/client/payment-requests',
+      headers: authHeader(token),
+      payload: { duration_minutes: 12, method: 'TEST_W' },
+    })
+
+    expect(res.statusCode).toBe(422)
+    const body = res.json()
+    expect(body.error.code).toBe('INVALID_PAYMENT_AMOUNT')
+    expect(body.error.details.max_amount).toBe(1000)
+  })
+
   it('call-mode payment session uses the call tier price group', async () => {
     // 20-minute call tier in Phase 4 = 17000 IDR.
     const res = await app.inject({