Phase 3.3: topic sensitivity + Phase 3.4: auth foundation

Phase 3.3 — Session Topic Sensitivity (complete):
- Backend: topic_sensitivity column + session_sensitivity_log, sensitivity service
  (flip with one-way-latch + audit), PATCH /api/shared/chat/sessions/:id/topic,
  topic carried in pairing + extension WS payloads, CC filter + sensitive stats
  + per-mitra sensitive columns on activity page
- client_app: TopicSelectionBottomSheet before pricing, topic flows through
  pairing request, silent WS handler for session_topic_updated
- mitra_app: SensitivityBadge + SensitivityTheme + sensitivityConfigProvider,
  overlay badge + yellow accent, chat screen app-bar toggle with configurable
  confirmation + latch, extension card shows current flag, history + transcript
  yellow theme
- control_center: Sensitivitas Topik settings section, topic filter + column
  with inline audit log, sensitive stats dashboard card, mitra activity
  sensitive columns with QC flag

Phase 3.4 — Self-Managed Auth (foundation only):
- Migration: auth_sessions + otp_requests tables, social identity columns on
  customers, password_hash + lockout on control_center_users, OTP + CC lockout
  app_config keys
- New services: password (bcrypt + complexity), token (JWT HS256 + refresh
  rotation, session_id claim pre-wires future Valkey revocation),
  social-identity (Google + Apple JWKS), OTP (Fazpass stub — real API TBD)
- Constants: AuthProvider + OtpChannel
- Middleware, auth route rewrites, WS auth update, Firebase → FCM isolation
  still pending (next chunk); Fazpass docs + Apple Developer setup still
  required before E2E testing

Docs:
- requirement/phase3.3.md, phase3.3-plan.md, phase3.3-testing.md
- requirement/phase3.4.md, phase3.4-plan.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/services/pairing.service.js

@@ -4,7 +4,7 @@ import { sendToUser } from '../plugins/websocket.js'
 import { sendPushNotification } from './notification.service.js'
 import { startSessionTimer } from './session-timer.service.js'
 import { startSessionListener } from './chat-handler.service.js'
-import { UserType, SessionStatus, NotificationResponse, TransactionType, WsMessage } from '../constants.js'
+import { UserType, SessionStatus, NotificationResponse, TransactionType, WsMessage, TopicSensitivity } from '../constants.js'
 
 const sql = getDb()
 
@@ -63,7 +63,7 @@ export const findAvailableMitras = async () => {
   return mitras
 }
 
-export const createPairingRequest = async (customerId, { duration_minutes, price, is_free_trial } = {}) => {
+export const createPairingRequest = async (customerId, { duration_minutes, price, is_free_trial, topic_sensitivity } = {}) => {
   // Check for existing active session or request
   const [existing] = await sql`
     SELECT id, status FROM chat_sessions
@@ -83,11 +83,15 @@ export const createPairingRequest = async (customerId, { duration_minutes, price
     })
   }
 
-  // Create session with duration/price
+  const resolvedTopic = topic_sensitivity === TopicSensitivity.SENSITIVE
+    ? TopicSensitivity.SENSITIVE
+    : TopicSensitivity.REGULAR
+
+  // Create session with duration/price/topic
   const [session] = await sql`
-    INSERT INTO chat_sessions (customer_id, status, duration_minutes, price, is_free_trial)
-    VALUES (${customerId}, ${SessionStatus.PENDING_ACCEPTANCE}, ${duration_minutes || null}, ${price || 0}, ${is_free_trial || false})
-    RETURNING id, customer_id, status, duration_minutes, price, is_free_trial, created_at
+    INSERT INTO chat_sessions (customer_id, status, duration_minutes, price, is_free_trial, topic_sensitivity)
+    VALUES (${customerId}, ${SessionStatus.PENDING_ACCEPTANCE}, ${duration_minutes || null}, ${price || 0}, ${is_free_trial || false}, ${resolvedTopic})
+    RETURNING id, customer_id, status, duration_minutes, price, is_free_trial, topic_sensitivity, created_at
   `
 
   // Create notifications for all available mitras
@@ -108,6 +112,7 @@ export const createPairingRequest = async (customerId, { duration_minutes, price
       created_at: session.created_at,
       duration_minutes: session.duration_minutes,
       is_free_trial: session.is_free_trial,
+      topic_sensitivity: session.topic_sensitivity,
     })
   }
 
@@ -309,7 +314,7 @@ export const expirePairingRequest = async (sessionId) => {
 
 export const getPendingRequestsForMitra = async (mitraId) => {
   const rows = await sql`
-    SELECT cs.id AS session_id, cs.duration_minutes, cs.is_free_trial, cs.created_at
+    SELECT cs.id AS session_id, cs.duration_minutes, cs.is_free_trial, cs.topic_sensitivity, cs.created_at
     FROM chat_request_notifications crn
     JOIN chat_sessions cs ON cs.id = crn.session_id
     WHERE crn.mitra_id = ${mitraId}
@@ -322,7 +327,8 @@ export const getPendingRequestsForMitra = async (mitraId) => {
 
 export const getSessionStatus = async (sessionId) => {
   const [session] = await sql`
-    SELECT cs.id, cs.customer_id, cs.mitra_id, cs.status, cs.created_at, cs.paired_at, cs.ended_at, cs.ended_by,
+    SELECT cs.id, cs.customer_id, cs.mitra_id, cs.status, cs.topic_sensitivity,
+      cs.created_at, cs.paired_at, cs.ended_at, cs.ended_by,
       m.display_name AS mitra_display_name
     FROM chat_sessions cs
     LEFT JOIN mitras m ON m.id = cs.mitra_id