Phase 5 Xendit: Stages 1-7 (XENDIT_ENABLED=false; Stage 8 pending creds)

Backend
- payment_sessions → payment_requests rename across DB schema + 29 files
- payment.service.js becomes product-agnostic owner: EventEmitter +
  Xendit wrapper + requestPayment / confirmPayment public API; legacy
  aliases retained for existing chat callers
- Webhook handler at POST /api/shared/payment/webhooks/xendit, with
  constant-time token verification (8 vitest cases)
- Server-driven pairing: payment.service emits
  payment_request.confirmed → pairing subscriber starts the blast.
  Legacy POST /chat/request still works during the cutover.
- Reconciliation sweeper extended (re-emits events for confirmed rows
  with no chat session)
- SIGTERM drain + startup reconciliation pass in server.js

Customer app
- waiting_payment_screen opens xendit_invoice_url via
  LaunchMode.inAppBrowserView
- searching / no-bestie / targeted-waiting / pairing-notifier updated
  to consume the new payment_request_id contract
- pending_payments_provider + bestie-unavailable dialog migrated

Dev / testing
- XENDIT_ENABLED=false is the safe default; .env.example documents the
  four new vars
- backend/.dev/xendit-fake-webhook.sh exercises the handler without
  ngrok
- 90/92 backend tests pass (two pre-existing session-timer flakes,
  unrelated); client_app analyzer clean
- requirement/phase5-xendit-plan.md is the canonical reference

Stage 8 (live E2E) blocked on Xendit test-mode keys. The dashboard's
single-webhook-URL constraint will be worked around via a self-poll
script next session.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/routes/public/client.payment.routes.js

@@ -1,10 +1,10 @@
 import { authenticate } from '../../plugins/auth.js'
 import { getCustomerById } from '../../services/customer.service.js'
 import {
-  createPaymentSession,
-  confirmPaymentSession,
-  abandonPaymentSession,
-  getPaymentSession,
+  requestPayment,
+  confirmPaymentForCustomer,
+  cancelPayment,
+  getPayment,
   getCustomerPendingPayments,
 } from '../../services/payment.service.js'
 import {
@@ -13,6 +13,7 @@ import {
   findTier,
   readFirstSessionDiscountConfig,
 } from '../../services/pricing.service.js'
+import { getXenditConfig } from '../../services/config.service.js'
 import { UserType, SessionMode } from '../../constants.js'
 
 const resolveCustomer = async (request, reply) => {
@@ -35,10 +36,10 @@ const resolveCustomer = async (request, reply) => {
 /**
  * Payment session lifecycle (mocked — no Xendit yet).
  *
- *   POST   /api/client/payment-sessions
- *   POST   /api/client/payment-sessions/:id/confirm
- *   POST   /api/client/payment-sessions/:id/cancel
- *   GET    /api/client/payment-sessions/:id
+ *   POST   /api/client/payment-requests
+ *   POST   /api/client/payment-requests/:id/confirm
+ *   POST   /api/client/payment-requests/:id/cancel
+ *   GET    /api/client/payment-requests/:id
  */
 export const clientPaymentRoutes = async (app) => {
   // Create a payment session (status = pending). First-session-discount is server-authoritative:
@@ -103,7 +104,11 @@ export const clientPaymentRoutes = async (app) => {
       }
     }
 
-    const session = await createPaymentSession({
+    // Phase 5: payment.service.js handles the Xendit invoice creation internally
+    // when XENDIT_ENABLED=true. The row comes back with xendit_invoice_url populated;
+    // when off, invoice_url is null and the dev/Maestro stub plays the webhook role.
+    const session = await requestPayment({
+      productType: 'chat_session',
       customerId: request.customer.id,
       durationMinutes: duration_minutes,
       amount,
@@ -125,12 +130,21 @@ export const clientPaymentRoutes = async (app) => {
         targeted_mitra_id: session.targeted_mitra_id,
         expires_at: session.expires_at,
         status: session.status,
+        invoice_url: session.xendit_invoice_url ?? null,
       },
     })
   })
 
   app.post('/:id/confirm', { preHandler: [authenticate, resolveCustomer] }, async (request, reply) => {
-    const session = await confirmPaymentSession(request.params.id, request.customer.id)
+    // Phase 5 D9: when Xendit is live, only the webhook can confirm. The dev/Maestro
+    // stub at /internal/_test/force-confirm-payment bypasses this gate (internal listener).
+    if (getXenditConfig().enabled) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'FORBIDDEN', message: 'Confirmation must come from Xendit webhook' },
+      })
+    }
+    const session = await confirmPaymentForCustomer(request.params.id, request.customer.id)
     return reply.send({
       success: true,
       data: {
@@ -142,7 +156,7 @@ export const clientPaymentRoutes = async (app) => {
   })
 
   app.post('/:id/cancel', { preHandler: [authenticate, resolveCustomer] }, async (request, reply) => {
-    const session = await abandonPaymentSession(request.params.id, request.customer.id)
+    const session = await cancelPayment(request.params.id, request.customer.id)
     return reply.send({
       success: true,
       data: {
@@ -160,19 +174,34 @@ export const clientPaymentRoutes = async (app) => {
   })
 
   app.get('/:id', { preHandler: [authenticate, resolveCustomer] }, async (request, reply) => {
-    const session = await getPaymentSession(request.params.id)
+    const session = await getPayment(request.params.id)
     if (!session) {
       return reply.code(404).send({
         success: false,
-        error: { code: 'NOT_FOUND', message: 'Payment session not found' },
+        error: { code: 'NOT_FOUND', message: 'Payment request not found' },
       })
     }
     if (session.customer_id !== request.customer.id) {
       return reply.code(403).send({
         success: false,
-        error: { code: 'FORBIDDEN', message: 'Payment session does not belong to this customer' },
+        error: { code: 'FORBIDDEN', message: 'Payment request does not belong to this customer' },
       })
     }
-    return reply.send({ success: true, data: session })
+    // Phase 5: surface chat_session_id (and status) when the server-driven pairing
+    // subscriber has already started pairing for this confirmed payment. Lets the
+    // app skip its legacy POST /chat/request call and just move to the searching state.
+    const { getDb } = await import('../../db/client.js')
+    const sqlClient = getDb()
+    const [chat] = await sqlClient`
+      SELECT id, status FROM chat_sessions WHERE payment_request_id = ${session.id} LIMIT 1
+    `
+    return reply.send({
+      success: true,
+      data: {
+        ...session,
+        chat_session_id: chat?.id ?? null,
+        chat_session_status: chat?.status ?? null,
+      },
+    })
   })
 }