Phase 3.4: client_app self-managed auth cutover

Rips firebase_auth; auth talks directly to the new backend endpoints.
Anonymous-first + phone OTP work end-to-end; Google/Apple SDKs are kept
but buttons are hidden behind ENABLE_SOCIAL_AUTH until backend OAuth
credentials are provisioned.

Smoke-tested against the backend via curl:
- anonymous → PATCH display_name → /me
- OTP request (read stub code from backend log) → verify with
  anonymous_customer_id → same customer row preserved, display_name
  preserved, phone added → upgrade confirmed
- refresh rotation + logout → post-logout refresh correctly fails
  REFRESH_INVALID
- Debug APK builds clean

- pubspec: drop firebase_auth; add flutter_secure_storage
- core/auth/auth_bridge.dart: shared mutable state (access token +
  refresh callback + in-flight de-dup) — keepAlive provider
- core/auth/token_storage.dart: flutter_secure_storage wrapper
  (customer_refresh_token key)
- core/auth/social_auth_enabled.dart: const flag from
  --dart-define=ENABLE_SOCIAL_AUTH (default false)
- core/auth/auth_notifier.dart: bootstrap via stored refresh; anonymous
  via /api/shared/auth/anonymous + PATCH display_name; phone OTP via
  /api/client/auth/*; Google + Apple wired (passes anonymous_customer_id
  for upgrade); anonymity config check for ForceRegister state; granular
  error-code mapping
- core/api/api_client.dart: Bearer from bridge + postRaw(skipAuth) for
  auth endpoints + single-retry 401 refresh
- core/chat/chat_notifier.dart + core/pairing/pairing_notifier.dart: WS
  auth frame reads bridge.accessToken
- features/auth/screens/otp_screen.dart: verificationId → otpRequestId
- features/auth/screens/register_screen.dart + force_register_screen.dart:
  Google/Apple buttons gated behind kSocialAuthEnabled; force_register
  drops obsolete linkAccount() (upgrade happens server-side now via
  anonymous_customer_id)
- client_app/CLAUDE.md: Auth section rewritten (was stale on Firebase)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

client_app/lib/features/auth/screens/force_register_screen.dart

@@ -2,9 +2,12 @@ import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import '../../../core/auth/auth_notifier.dart';
+import '../../../core/auth/social_auth_enabled.dart';
 
 /// Shown when anonymity is disabled by admin.
-/// User must link their account. Display name is pre-filled.
+/// User must identify themselves (phone OTP / Google / Apple).
+/// Backend upgrades the existing anonymous customer row when the current
+/// anonymous_customer_id is passed on sign-in (see AuthNotifier).
 class ForceRegisterScreen extends ConsumerStatefulWidget {
   const ForceRegisterScreen({super.key});
 
@@ -31,10 +34,6 @@ class _ForceRegisterScreenState extends ConsumerState<ForceRegisterScreen> {
       if (data is AuthOtpSentData) {
         context.push('/auth/otp', extra: _phoneController.text.trim());
       }
-      if (data is AuthAuthenticatedData) {
-        // After social login succeeds, link account to existing anonymous record
-        ref.read(authProvider.notifier).linkAccount();
-      }
       if (next is AsyncError) {
         ScaffoldMessenger.of(context).showSnackBar(SnackBar(content: Text(next.error.toString())));
       }
@@ -52,27 +51,29 @@ class _ForceRegisterScreenState extends ConsumerState<ForceRegisterScreen> {
               style: TextStyle(fontSize: 16),
             ),
             const SizedBox(height: 24),
-            ElevatedButton.icon(
-              icon: const Icon(Icons.g_mobiledata),
-              onPressed: isLoading ? null
-                  : () => ref.read(authProvider.notifier).loginGoogle(),
-              label: const Text('Lanjut dengan Google'),
-            ),
-            const SizedBox(height: 12),
-            ElevatedButton.icon(
-              icon: const Icon(Icons.apple),
-              onPressed: isLoading ? null
-                  : () => ref.read(authProvider.notifier).loginApple(),
-              label: const Text('Lanjut dengan Apple'),
-            ),
-            const Padding(
-              padding: EdgeInsets.symmetric(vertical: 24),
-              child: Row(children: [
-                Expanded(child: Divider()),
-                Padding(padding: EdgeInsets.symmetric(horizontal: 12), child: Text('atau')),
-                Expanded(child: Divider()),
-              ]),
-            ),
+            if (kSocialAuthEnabled) ...[
+              ElevatedButton.icon(
+                icon: const Icon(Icons.g_mobiledata),
+                onPressed: isLoading ? null
+                    : () => ref.read(authProvider.notifier).loginGoogle(),
+                label: const Text('Lanjut dengan Google'),
+              ),
+              const SizedBox(height: 12),
+              ElevatedButton.icon(
+                icon: const Icon(Icons.apple),
+                onPressed: isLoading ? null
+                    : () => ref.read(authProvider.notifier).loginApple(),
+                label: const Text('Lanjut dengan Apple'),
+              ),
+              const Padding(
+                padding: EdgeInsets.symmetric(vertical: 24),
+                child: Row(children: [
+                  Expanded(child: Divider()),
+                  Padding(padding: EdgeInsets.symmetric(horizontal: 12), child: Text('atau')),
+                  Expanded(child: Divider()),
+                ]),
+              ),
+            ],
             TextField(
               controller: _phoneController,
               decoration: const InputDecoration(

client_app/lib/features/auth/screens/otp_screen.dart

@@ -12,15 +12,15 @@ class OtpScreen extends ConsumerStatefulWidget {
 
 class _OtpScreenState extends ConsumerState<OtpScreen> {
   final _otpController = TextEditingController();
-  String? _verificationId;
+  String? _otpRequestId;
 
   @override
   void initState() {
     super.initState();
-    // Capture verification ID from current state
+    // Capture OTP request id from current state
     final data = ref.read(authProvider).valueOrNull;
     if (data is AuthOtpSentData) {
-      _verificationId = data.verificationId;
+      _otpRequestId = data.otpRequestId;
     }
   }
 
@@ -35,10 +35,10 @@ class _OtpScreenState extends ConsumerState<OtpScreen> {
     final authState = ref.watch(authProvider);
     final isLoading = authState is AsyncLoading;
 
-    // Update verification ID if state changes
+    // Update OTP request id if state changes (e.g. resend)
     final data = authState.valueOrNull;
     if (data is AuthOtpSentData) {
-      _verificationId = data.verificationId;
+      _otpRequestId = data.otpRequestId;
     }
 
     ref.listen(authProvider, (prev, next) {
@@ -69,8 +69,8 @@ class _OtpScreenState extends ConsumerState<OtpScreen> {
             ElevatedButton(
               onPressed: isLoading ? null : () {
                 final otp = _otpController.text.trim();
-                if (otp.length != 6 || _verificationId == null) return;
-                ref.read(authProvider.notifier).verifyOtp(_verificationId!, otp);
+                if (otp.length != 6 || _otpRequestId == null) return;
+                ref.read(authProvider.notifier).verifyOtp(_otpRequestId!, otp);
               },
               child: isLoading
                   ? const CircularProgressIndicator()

client_app/lib/features/auth/screens/register_screen.dart

@@ -2,6 +2,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import '../../../core/auth/auth_notifier.dart';
+import '../../../core/auth/social_auth_enabled.dart';
 
 class RegisterScreen extends ConsumerStatefulWidget {
   const RegisterScreen({super.key});
@@ -41,27 +42,29 @@ class _RegisterScreenState extends ConsumerState<RegisterScreen> {
         child: Column(
           crossAxisAlignment: CrossAxisAlignment.stretch,
           children: [
-            ElevatedButton.icon(
-              icon: const Icon(Icons.g_mobiledata),
-              onPressed: isLoading ? null
-                  : () => ref.read(authProvider.notifier).loginGoogle(),
-              label: const Text('Lanjut dengan Google'),
-            ),
-            const SizedBox(height: 12),
-            ElevatedButton.icon(
-              icon: const Icon(Icons.apple),
-              onPressed: isLoading ? null
-                  : () => ref.read(authProvider.notifier).loginApple(),
-              label: const Text('Lanjut dengan Apple'),
-            ),
-            const Padding(
-              padding: EdgeInsets.symmetric(vertical: 24),
-              child: Row(children: [
-                Expanded(child: Divider()),
-                Padding(padding: EdgeInsets.symmetric(horizontal: 12), child: Text('atau')),
-                Expanded(child: Divider()),
-              ]),
-            ),
+            if (kSocialAuthEnabled) ...[
+              ElevatedButton.icon(
+                icon: const Icon(Icons.g_mobiledata),
+                onPressed: isLoading ? null
+                    : () => ref.read(authProvider.notifier).loginGoogle(),
+                label: const Text('Lanjut dengan Google'),
+              ),
+              const SizedBox(height: 12),
+              ElevatedButton.icon(
+                icon: const Icon(Icons.apple),
+                onPressed: isLoading ? null
+                    : () => ref.read(authProvider.notifier).loginApple(),
+                label: const Text('Lanjut dengan Apple'),
+              ),
+              const Padding(
+                padding: EdgeInsets.symmetric(vertical: 24),
+                child: Row(children: [
+                  Expanded(child: Divider()),
+                  Padding(padding: EdgeInsets.symmetric(horizontal: 12), child: Text('atau')),
+                  Expanded(child: Divider()),
+                ]),
+              ),
+            ],
             TextField(
               controller: _phoneController,
               decoration: const InputDecoration(