Phase 5 Xendit: Stages 1-7 (XENDIT_ENABLED=false; Stage 8 pending creds)

Backend
- payment_sessions → payment_requests rename across DB schema + 29 files
- payment.service.js becomes product-agnostic owner: EventEmitter +
  Xendit wrapper + requestPayment / confirmPayment public API; legacy
  aliases retained for existing chat callers
- Webhook handler at POST /api/shared/payment/webhooks/xendit, with
  constant-time token verification (8 vitest cases)
- Server-driven pairing: payment.service emits
  payment_request.confirmed → pairing subscriber starts the blast.
  Legacy POST /chat/request still works during the cutover.
- Reconciliation sweeper extended (re-emits events for confirmed rows
  with no chat session)
- SIGTERM drain + startup reconciliation pass in server.js

Customer app
- waiting_payment_screen opens xendit_invoice_url via
  LaunchMode.inAppBrowserView
- searching / no-bestie / targeted-waiting / pairing-notifier updated
  to consume the new payment_request_id contract
- pending_payments_provider + bestie-unavailable dialog migrated

Dev / testing
- XENDIT_ENABLED=false is the safe default; .env.example documents the
  four new vars
- backend/.dev/xendit-fake-webhook.sh exercises the handler without
  ngrok
- 90/92 backend tests pass (two pre-existing session-timer flakes,
  unrelated); client_app analyzer clean
- requirement/phase5-xendit-plan.md is the canonical reference

Stage 8 (live E2E) blocked on Xendit test-mode keys. The dashboard's
single-webhook-URL constraint will be worked around via a self-poll
script next session.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/routes/internal/config.routes.js

@@ -11,7 +11,7 @@ import {
   getEarlyEndConfig, setEarlyEndConfig,
   getMitraPingConfig, setMitraPingConfig, getMitraHeartbeatCadenceSeconds,
   getSensitivityConfig, setSensitivityConfig,
-  getPaymentSessionTimeoutMinutes, setPaymentSessionTimeoutMinutes,
+  getPaymentRequestTimeoutMinutes, setPaymentRequestTimeoutMinutes,
   getReturningChatConfirmationTimeoutSeconds, setReturningChatConfirmationTimeoutSeconds,
   getExtensionDefaultActionOnTimeout, setExtensionDefaultActionOnTimeout,
   getPairingBlastTimeoutSeconds, setPairingBlastTimeoutSeconds,
@@ -247,21 +247,21 @@ export const internalConfigRoutes = async (app) => {
   app.get('/payment-session-timeout', {
     preHandler: [authenticate, attachCcUser, requirePermission('config', 'read')],
   }, async (_req, reply) => {
-    return reply.send({ success: true, data: await getPaymentSessionTimeoutMinutes() })
+    return reply.send({ success: true, data: await getPaymentRequestTimeoutMinutes() })
   })
 
   app.patch('/payment-session-timeout', {
     preHandler: [authenticate, attachCcUser, requirePermission('config', 'update')],
   }, async (request, reply) => {
-    const { payment_session_timeout_minutes } = request.body ?? {}
-    if (typeof payment_session_timeout_minutes !== 'number' || payment_session_timeout_minutes < 1) {
+    const { payment_request_timeout_minutes } = request.body ?? {}
+    if (typeof payment_request_timeout_minutes !== 'number' || payment_request_timeout_minutes < 1) {
       return reply.code(422).send({
         success: false,
-        error: { code: 'VALIDATION_ERROR', message: 'payment_session_timeout_minutes must be a number >= 1' },
+        error: { code: 'VALIDATION_ERROR', message: 'payment_request_timeout_minutes must be a number >= 1' },
       })
     }
-    const config = await setPaymentSessionTimeoutMinutes(payment_session_timeout_minutes)
-    await publishConfigInvalidate('payment_session_timeout_minutes')
+    const config = await setPaymentRequestTimeoutMinutes(payment_request_timeout_minutes)
+    await publishConfigInvalidate('payment_request_timeout_minutes')
     return reply.send({ success: true, data: config })
   })