Phase 3.3: topic sensitivity + Phase 3.4: auth foundation

Phase 3.3 — Session Topic Sensitivity (complete):
- Backend: topic_sensitivity column + session_sensitivity_log, sensitivity service
  (flip with one-way-latch + audit), PATCH /api/shared/chat/sessions/:id/topic,
  topic carried in pairing + extension WS payloads, CC filter + sensitive stats
  + per-mitra sensitive columns on activity page
- client_app: TopicSelectionBottomSheet before pricing, topic flows through
  pairing request, silent WS handler for session_topic_updated
- mitra_app: SensitivityBadge + SensitivityTheme + sensitivityConfigProvider,
  overlay badge + yellow accent, chat screen app-bar toggle with configurable
  confirmation + latch, extension card shows current flag, history + transcript
  yellow theme
- control_center: Sensitivitas Topik settings section, topic filter + column
  with inline audit log, sensitive stats dashboard card, mitra activity
  sensitive columns with QC flag

Phase 3.4 — Self-Managed Auth (foundation only):
- Migration: auth_sessions + otp_requests tables, social identity columns on
  customers, password_hash + lockout on control_center_users, OTP + CC lockout
  app_config keys
- New services: password (bcrypt + complexity), token (JWT HS256 + refresh
  rotation, session_id claim pre-wires future Valkey revocation),
  social-identity (Google + Apple JWKS), OTP (Fazpass stub — real API TBD)
- Constants: AuthProvider + OtpChannel
- Middleware, auth route rewrites, WS auth update, Firebase → FCM isolation
  still pending (next chunk); Fazpass docs + Apple Developer setup still
  required before E2E testing

Docs:
- requirement/phase3.3.md, phase3.3-plan.md, phase3.3-testing.md
- requirement/phase3.4.md, phase3.4-plan.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/routes/public/client.chat.routes.js

@@ -4,7 +4,7 @@ import { createPairingRequest, cancelPairingRequest } from '../../services/pairi
 import { getActiveSessionByCustomer, getActiveSessionByCustomerWithUnread, endSession, getCustomerHistory } from '../../services/session.service.js'
 import { getPricingForCustomer, isValidTier, isCustomerEligibleForFreeTrial, getFreeTrial } from '../../services/pricing.service.js'
 import { requestExtension } from '../../services/extension.service.js'
-import { EndedBy } from '../../constants.js'
+import { EndedBy, TopicSensitivity } from '../../constants.js'
 
 const resolveCustomer = async (request, reply) => {
   const customer = await getCustomerByFirebaseUid(request.firebaseUser.uid)
@@ -25,7 +25,14 @@ export const clientChatRoutes = async (app) => {
   })
 
   app.post('/request', { preHandler: [authenticate, resolveCustomer] }, async (request, reply) => {
-    const { duration_minutes, price, is_free_trial } = request.body || {}
+    const { duration_minutes, price, is_free_trial, topic_sensitivity } = request.body || {}
+
+    if (topic_sensitivity !== TopicSensitivity.REGULAR && topic_sensitivity !== TopicSensitivity.SENSITIVE) {
+      return reply.code(400).send({
+        success: false,
+        error: { code: 'BAD_REQUEST', message: 'topic_sensitivity must be regular or sensitive' },
+      })
+    }
 
     // Validate selection
     if (is_free_trial) {
@@ -41,6 +48,7 @@ export const clientChatRoutes = async (app) => {
         duration_minutes: freeTrial.duration_minutes,
         price: 0,
         is_free_trial: true,
+        topic_sensitivity,
       })
       return reply.code(201).send({ success: true, data: session })
     }
@@ -59,7 +67,7 @@ export const clientChatRoutes = async (app) => {
       })
     }
 
-    const session = await createPairingRequest(request.customer.id, { duration_minutes, price, is_free_trial: false })
+    const session = await createPairingRequest(request.customer.id, { duration_minutes, price, is_free_trial: false, topic_sensitivity })
     return reply.code(201).send({ success: true, data: session })
   })