Xendit webhook: metadata.app routing + survival audit log + rolling fallback file

Every Xendit invoice now carries metadata: { app: 'halobestie_v2' } so an
external webhook router (no DB access) can fan out v1/v2 traffic purely off
the echoed payload.

Every inbound webhook lands in a new webhook_logs table BEFORE auth or
business logic, so a forensic row survives 401/409/unknown/exception paths.
Primary fields are parsed as columns; raw_body keeps the full payload
verbatim. The handler captures outcome in closure-scoped vars and stamps
http_status/processing_result/processing_error in a single update before
the lone reply.send() — Fastify flushes reply.send() immediately, which
defeated the original finally-block stamp.

A non-UUID external_id no longer crashes the Postgres cast; it ACKs with
ignored_non_uuid_external_id so Xendit stops retrying legacy old-app IDs.

When the DB log itself fails, an optional rolling JSONL file sink absorbs
the event. Disabled by default — opt in via XENDIT_WEBHOOK_FALLBACK_ENABLED.
Naming: <NAME>-YYYY-MM-DD.jsonl in XENDIT_WEBHOOK_FALLBACK_DIR (default
./logs), basename XENDIT_WEBHOOK_FALLBACK_NAME (default
xendit-webhook-fallback). No stdout fallback by design.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/services/payment.service.js

@@ -98,6 +98,9 @@ const createXenditInvoice = async ({ paymentRequestId, amount, ttlMinutes, descr
       currency: 'IDR',
       successRedirectUrl: successRedirectUrl || undefined,
       failureRedirectUrl: failureRedirectUrl || undefined,
+      // Stamped so a shared webhook router (no DB access) can route v1 vs v2 traffic
+      // purely from the echoed payload. Keep this string stable — it is a routing key.
+      metadata: { app: 'halobestie_v2' },
       // paymentMethods omitted → honor dashboard config (operator picks methods without a deploy)
     },
   })