Phase 5 Xendit: Stages 1-7 (XENDIT_ENABLED=false; Stage 8 pending creds)

Backend
- payment_sessions → payment_requests rename across DB schema + 29 files
- payment.service.js becomes product-agnostic owner: EventEmitter +
  Xendit wrapper + requestPayment / confirmPayment public API; legacy
  aliases retained for existing chat callers
- Webhook handler at POST /api/shared/payment/webhooks/xendit, with
  constant-time token verification (8 vitest cases)
- Server-driven pairing: payment.service emits
  payment_request.confirmed → pairing subscriber starts the blast.
  Legacy POST /chat/request still works during the cutover.
- Reconciliation sweeper extended (re-emits events for confirmed rows
  with no chat session)
- SIGTERM drain + startup reconciliation pass in server.js

Customer app
- waiting_payment_screen opens xendit_invoice_url via
  LaunchMode.inAppBrowserView
- searching / no-bestie / targeted-waiting / pairing-notifier updated
  to consume the new payment_request_id contract
- pending_payments_provider + bestie-unavailable dialog migrated

Dev / testing
- XENDIT_ENABLED=false is the safe default; .env.example documents the
  four new vars
- backend/.dev/xendit-fake-webhook.sh exercises the handler without
  ngrok
- 90/92 backend tests pass (two pre-existing session-timer flakes,
  unrelated); client_app analyzer clean
- requirement/phase5-xendit-plan.md is the canonical reference

Stage 8 (live E2E) blocked on Xendit test-mode keys. The dashboard's
single-webhook-URL constraint will be worked around via a self-poll
script next session.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/services/extension.service.js

@@ -14,7 +14,7 @@ import {
   ExtensionStatus,
   TransactionType,
   WsMessage,
-  PaymentSessionStatus,
+  PaymentRequestStatus,
   ExtensionTimeoutAction,
   PairingFailureCause,
 } from '../constants.js'
@@ -39,7 +39,7 @@ const getExtensionTimeoutAction = async () => {
 /**
  * Customer requests an extension.
  *
- * `extension_payment_session_id` is REQUIRED. The payment session must:
+ * `extension_payment_request_id` is REQUIRED. The payment session must:
  *   - belong to this customer
  *   - be in `confirmed` status (not yet consumed)
  *   - have `is_extension = true`
@@ -48,7 +48,7 @@ const getExtensionTimeoutAction = async () => {
  * The payment session is NOT consumed at request time. It is consumed at approval moment
  * (mitra explicit accept OR auto-approve fires).
  */
-export const requestExtension = async (sessionId, customerId, { duration_minutes, price, extension_payment_session_id }) => {
+export const requestExtension = async (sessionId, customerId, { duration_minutes, price, extension_payment_request_id }) => {
   // Verify session belongs to customer and is in an extendable state.
   // customer_display_name is pulled along for the FCM body when the mitra
   // misses the WS frame.
@@ -65,31 +65,31 @@ export const requestExtension = async (sessionId, customerId, { duration_minutes
   }
 
   // Validate extension payment session
-  if (!extension_payment_session_id) {
-    throw Object.assign(new Error('extension_payment_session_id is required'), {
+  if (!extension_payment_request_id) {
+    throw Object.assign(new Error('extension_payment_request_id is required'), {
       code: 'VALIDATION_ERROR', statusCode: 422,
     })
   }
-  const paySession = await getPaymentSession(extension_payment_session_id)
-  if (!paySession) {
+  const payRequest = await getPaymentSession(extension_payment_request_id)
+  if (!payRequest) {
     throw Object.assign(new Error('Payment session not found'), { code: 'NOT_FOUND', statusCode: 404 })
   }
-  if (paySession.customer_id !== customerId) {
+  if (payRequest.customer_id !== customerId) {
     throw Object.assign(new Error('Payment session does not belong to this customer'), {
       code: 'FORBIDDEN', statusCode: 403,
     })
   }
-  if (paySession.status !== PaymentSessionStatus.CONFIRMED) {
-    throw Object.assign(new Error(`Payment session is ${paySession.status}, must be confirmed`), {
+  if (payRequest.status !== PaymentRequestStatus.CONFIRMED) {
+    throw Object.assign(new Error(`Payment session is ${payRequest.status}, must be confirmed`), {
       code: 'INVALID_STATE', statusCode: 409,
     })
   }
-  if (!paySession.is_extension) {
+  if (!payRequest.is_extension) {
     throw Object.assign(new Error('Payment session is not flagged as an extension payment'), {
       code: 'INVALID_STATE', statusCode: 409,
     })
   }
-  if (paySession.is_first_session_discount) {
+  if (payRequest.is_first_session_discount) {
     throw Object.assign(new Error('First-session discount is not available for extensions'), {
       code: 'FIRST_SESSION_DISCOUNT_NOT_ALLOWED', statusCode: 400,
     })
@@ -97,9 +97,9 @@ export const requestExtension = async (sessionId, customerId, { duration_minutes
 
   // Create extension record (linked to its payment session)
   const [extension] = await sql`
-    INSERT INTO session_extensions (session_id, requested_duration_minutes, requested_price, status, payment_session_id)
-    VALUES (${sessionId}, ${duration_minutes}, ${price}, ${ExtensionStatus.PENDING}, ${extension_payment_session_id})
-    RETURNING id, session_id, requested_duration_minutes, requested_price, status, requested_at, payment_session_id
+    INSERT INTO session_extensions (session_id, requested_duration_minutes, requested_price, status, payment_request_id)
+    VALUES (${sessionId}, ${duration_minutes}, ${price}, ${ExtensionStatus.PENDING}, ${extension_payment_request_id})
+    RETURNING id, session_id, requested_duration_minutes, requested_price, status, requested_at, payment_request_id
   `
 
   // Pause the session
@@ -182,7 +182,7 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
     UPDATE session_extensions
     SET status = ${status}, responded_at = NOW()
     WHERE id = ${extensionId} AND session_id = ${sessionId} AND status = ${ExtensionStatus.PENDING}
-    RETURNING id, session_id, requested_duration_minutes, requested_price, status, payment_session_id
+    RETURNING id, session_id, requested_duration_minutes, requested_price, status, payment_request_id
   `
 
   if (!extension) {
@@ -201,8 +201,8 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
 
   if (accepted) {
     // Charge fires AT approval moment (explicit OR auto-approve).
-    if (extension.payment_session_id) {
-      await consumePaymentSession(extension.payment_session_id)
+    if (extension.payment_request_id) {
+      await consumePaymentSession(extension.payment_request_id)
     }
 
     // Clear any pending grace timer from the previous expiry
@@ -244,8 +244,8 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
     // Rejected — no charge. Fail the extension payment session if present.
     // viaTimeout=false here means an explicit mitra reject (the timer path goes through
     // timeoutExtension which never enters this branch with viaTimeout=true for reject).
-    if (extension.payment_session_id) {
-      await failPaymentSession(extension.payment_session_id, PairingFailureCause.EXTENSION_REJECTED)
+    if (extension.payment_request_id) {
+      await failPaymentSession(extension.payment_request_id, PairingFailureCause.EXTENSION_REJECTED)
     }
 
     await sql`UPDATE chat_sessions SET status = ${SessionStatus.CLOSING} WHERE id = ${extension.session_id}`
@@ -321,12 +321,12 @@ const timeoutExtension = async (extensionId, sessionId, mitraId) => {
     UPDATE session_extensions
     SET status = ${ExtensionStatus.TIMEOUT}, responded_at = NOW()
     WHERE id = ${extensionId} AND status = ${ExtensionStatus.PENDING}
-    RETURNING id, payment_session_id
+    RETURNING id, payment_request_id
   `
   if (!timedOut) return
 
-  if (timedOut.payment_session_id) {
-    await failPaymentSession(timedOut.payment_session_id, causeTag)
+  if (timedOut.payment_request_id) {
+    await failPaymentSession(timedOut.payment_request_id, causeTag)
   }
 
   // Move session to closing & notify both parties (matches the explicit-reject UX).