Phase 3.3: topic sensitivity + Phase 3.4: auth foundation

Phase 3.3 — Session Topic Sensitivity (complete):
- Backend: topic_sensitivity column + session_sensitivity_log, sensitivity service
  (flip with one-way-latch + audit), PATCH /api/shared/chat/sessions/:id/topic,
  topic carried in pairing + extension WS payloads, CC filter + sensitive stats
  + per-mitra sensitive columns on activity page
- client_app: TopicSelectionBottomSheet before pricing, topic flows through
  pairing request, silent WS handler for session_topic_updated
- mitra_app: SensitivityBadge + SensitivityTheme + sensitivityConfigProvider,
  overlay badge + yellow accent, chat screen app-bar toggle with configurable
  confirmation + latch, extension card shows current flag, history + transcript
  yellow theme
- control_center: Sensitivitas Topik settings section, topic filter + column
  with inline audit log, sensitive stats dashboard card, mitra activity
  sensitive columns with QC flag

Phase 3.4 — Self-Managed Auth (foundation only):
- Migration: auth_sessions + otp_requests tables, social identity columns on
  customers, password_hash + lockout on control_center_users, OTP + CC lockout
  app_config keys
- New services: password (bcrypt + complexity), token (JWT HS256 + refresh
  rotation, session_id claim pre-wires future Valkey revocation),
  social-identity (Google + Apple JWKS), OTP (Fazpass stub — real API TBD)
- Constants: AuthProvider + OtpChannel
- Middleware, auth route rewrites, WS auth update, Firebase → FCM isolation
  still pending (next chunk); Fazpass docs + Apple Developer setup still
  required before E2E testing

Docs:
- requirement/phase3.3.md, phase3.3-plan.md, phase3.3-testing.md
- requirement/phase3.4.md, phase3.4-plan.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/services/mitra-activity.service.js

@@ -1,4 +1,5 @@
 import { getDb } from '../db/client.js'
+import { TopicSensitivity } from '../constants.js'
 
 const sql = getDb()
 
@@ -18,12 +19,14 @@ export const getMitraActivityLog = async ({ mitra_id, date_from, date_to, page =
     SELECT crn.id, crn.session_id, crn.mitra_id, crn.response,
       crn.notified_at, crn.responded_at, crn.active_session_count,
       m.display_name AS mitra_display_name,
+      cs.topic_sensitivity,
       CASE WHEN crn.responded_at IS NOT NULL
         THEN EXTRACT(EPOCH FROM (crn.responded_at - crn.notified_at))::int
         ELSE NULL
       END AS response_time_seconds
     FROM chat_request_notifications crn
     INNER JOIN mitras m ON m.id = crn.mitra_id
+    LEFT JOIN chat_sessions cs ON cs.id = crn.session_id
     ${where}
     ORDER BY crn.notified_at DESC
     LIMIT ${limit} OFFSET ${offset}
@@ -63,9 +66,17 @@ export const getMitraActivitySummary = async ({ mitra_id, date_from, date_to } =
           THEN EXTRACT(EPOCH FROM (crn.responded_at - crn.notified_at))
           ELSE NULL
         END
-      )::numeric(10,1) AS avg_response_time_seconds
+      )::numeric(10,1) AS avg_response_time_seconds,
+      COUNT(*) FILTER (WHERE cs.topic_sensitivity = ${TopicSensitivity.SENSITIVE})::int AS sensitive_total,
+      COUNT(*) FILTER (WHERE cs.topic_sensitivity = ${TopicSensitivity.SENSITIVE} AND crn.response = 'accepted')::int AS sensitive_accepted,
+      COUNT(*) FILTER (WHERE cs.topic_sensitivity = ${TopicSensitivity.SENSITIVE} AND crn.response = 'declined')::int AS sensitive_rejected,
+      ROUND(
+        100.0 * COUNT(*) FILTER (WHERE cs.topic_sensitivity = ${TopicSensitivity.SENSITIVE} AND crn.response = 'accepted')
+        / NULLIF(COUNT(*) FILTER (WHERE cs.topic_sensitivity = ${TopicSensitivity.SENSITIVE}), 0), 1
+      ) AS sensitive_acceptance_rate
     FROM chat_request_notifications crn
     INNER JOIN mitras m ON m.id = crn.mitra_id
+    LEFT JOIN chat_sessions cs ON cs.id = crn.session_id
     ${where}
     GROUP BY crn.mitra_id, m.display_name
     ORDER BY acceptance_rate DESC NULLS LAST