Phase 3.3: topic sensitivity + Phase 3.4: auth foundation

Phase 3.3 — Session Topic Sensitivity (complete):
- Backend: topic_sensitivity column + session_sensitivity_log, sensitivity service
  (flip with one-way-latch + audit), PATCH /api/shared/chat/sessions/:id/topic,
  topic carried in pairing + extension WS payloads, CC filter + sensitive stats
  + per-mitra sensitive columns on activity page
- client_app: TopicSelectionBottomSheet before pricing, topic flows through
  pairing request, silent WS handler for session_topic_updated
- mitra_app: SensitivityBadge + SensitivityTheme + sensitivityConfigProvider,
  overlay badge + yellow accent, chat screen app-bar toggle with configurable
  confirmation + latch, extension card shows current flag, history + transcript
  yellow theme
- control_center: Sensitivitas Topik settings section, topic filter + column
  with inline audit log, sensitive stats dashboard card, mitra activity
  sensitive columns with QC flag

Phase 3.4 — Self-Managed Auth (foundation only):
- Migration: auth_sessions + otp_requests tables, social identity columns on
  customers, password_hash + lockout on control_center_users, OTP + CC lockout
  app_config keys
- New services: password (bcrypt + complexity), token (JWT HS256 + refresh
  rotation, session_id claim pre-wires future Valkey revocation),
  social-identity (Google + Apple JWKS), OTP (Fazpass stub — real API TBD)
- Constants: AuthProvider + OtpChannel
- Middleware, auth route rewrites, WS auth update, Firebase → FCM isolation
  still pending (next chunk); Fazpass docs + Apple Developer setup still
  required before E2E testing

Docs:
- requirement/phase3.3.md, phase3.3-plan.md, phase3.3-testing.md
- requirement/phase3.4.md, phase3.4-plan.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/services/config.service.js

@@ -128,3 +128,97 @@ export const setEarlyEndConfig = async ({ mitra_enabled, customer_enabled }) =>
   }
   return getEarlyEndConfig()
 }
+
+// --- Phase 3.3: Session Topic Sensitivity ---
+
+export const getSensitivityConfig = async () => {
+  const [confirmRow] = await sql`SELECT value FROM app_config WHERE key = 'sensitive_flip_confirmation_enabled'`
+  const [latchRow] = await sql`SELECT value FROM app_config WHERE key = 'sensitive_flag_one_way_latch'`
+  return {
+    flip_confirmation_enabled: confirmRow?.value?.value ?? true,
+    one_way_latch: latchRow?.value?.value ?? false,
+  }
+}
+
+export const setSensitivityConfig = async ({ flip_confirmation_enabled, one_way_latch }) => {
+  if (flip_confirmation_enabled !== undefined) {
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES ('sensitive_flip_confirmation_enabled', ${sql.json({ value: flip_confirmation_enabled })}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+  if (one_way_latch !== undefined) {
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES ('sensitive_flag_one_way_latch', ${sql.json({ value: one_way_latch })}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+  return getSensitivityConfig()
+}
+
+// --- Phase 3.4: Self-Managed Auth ---
+
+export const getOtpRateLimits = async () => {
+  const [phoneRow] = await sql`SELECT value FROM app_config WHERE key = 'otp_max_per_phone_per_hour'`
+  const [ipRow] = await sql`SELECT value FROM app_config WHERE key = 'otp_max_per_ip_per_hour'`
+  const [resendRow] = await sql`SELECT value FROM app_config WHERE key = 'otp_resend_cooldown_seconds'`
+  const [attemptsRow] = await sql`SELECT value FROM app_config WHERE key = 'otp_verify_max_attempts'`
+  return {
+    max_per_phone_per_hour: phoneRow?.value?.value ?? 3,
+    max_per_ip_per_hour: ipRow?.value?.value ?? 10,
+    resend_cooldown_seconds: resendRow?.value?.value ?? 60,
+    verify_max_attempts: attemptsRow?.value?.value ?? 5,
+  }
+}
+
+export const setOtpRateLimits = async ({
+  max_per_phone_per_hour,
+  max_per_ip_per_hour,
+  resend_cooldown_seconds,
+  verify_max_attempts,
+}) => {
+  const pairs = [
+    ['otp_max_per_phone_per_hour', max_per_phone_per_hour],
+    ['otp_max_per_ip_per_hour', max_per_ip_per_hour],
+    ['otp_resend_cooldown_seconds', resend_cooldown_seconds],
+    ['otp_verify_max_attempts', verify_max_attempts],
+  ]
+  for (const [key, value] of pairs) {
+    if (value === undefined) continue
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES (${key}, ${sql.json({ value })}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+  return getOtpRateLimits()
+}
+
+export const getCcLoginLockoutConfig = async () => {
+  const [attemptsRow] = await sql`SELECT value FROM app_config WHERE key = 'cc_login_max_attempts'`
+  const [minutesRow] = await sql`SELECT value FROM app_config WHERE key = 'cc_login_lockout_minutes'`
+  return {
+    max_attempts: attemptsRow?.value?.value ?? 5,
+    lockout_minutes: minutesRow?.value?.value ?? 15,
+  }
+}
+
+export const setCcLoginLockoutConfig = async ({ max_attempts, lockout_minutes }) => {
+  if (max_attempts !== undefined) {
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES ('cc_login_max_attempts', ${sql.json({ value: max_attempts })}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+  if (lockout_minutes !== undefined) {
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES ('cc_login_lockout_minutes', ${sql.json({ value: lockout_minutes })}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+  return getCcLoginLockoutConfig()
+}