Phase 4 checkpoint: chat-screen perf refactor + retryable blast-failure + repo-wide dispose-ref guardrail

Chat-screen performance (customer + mitra):
- Parent screens have zero `ref.watch` — only `ref.listen` for side effects
- Body extracted into its own `ConsumerStatefulWidget`; AppBar parts split
  into narrow `.select` consumers (mode, sensitivity, timer)
- Per-second timer ticks routed to dedicated providers
  (`chatRemainingSecondsProvider` + new `mitraChatRemainingSecondsProvider`)
  so WS `session_tick` frames don't invalidate the rest of the chat state

Dispose-in-ref bug fix:
- `home_screen.dart`, `payment_screen.dart`, `mitra_chat_screen.dart` —
  ref-using cleanup moved from `dispose()` to `deactivate()`. Modern
  Riverpod invalidates `ref` the moment `dispose()` runs; the resulting
  silent error corrupts the widget-tree finalize and the next screen
  appears frozen
- `halo_lints` package added at repo root with `no_ref_in_dispose` rule
  to catch this pattern in CI / IDE analysis
- `custom_lint` activated in both apps' `analysis_options.yaml`
  (was installed but never wired in — also brings `riverpod_lint`'s
  `avoid_ref_inside_state_dispose` online)
- CLAUDE.md Pitfalls section added to client_app + mitra_app

Phase 4 §3 retryable blast-failure (Option A):
- Backend `expirePairingRequest` + all-rejected use
  `recordIntermediateFailure` instead of `failPaymentSession` so the
  payment session stays `confirmed` for re-blast
- WS `pairing_failed` payload carries `is_terminal: false` on the
  retryable paths; client parses the flag and exposes `retryBlast()`
- "Coba cari lagi" CTA on S7 Timeout now re-blasts on the same payment
- Pairing service test updated to reflect the new semantics

Customer waiting-payment screen navigation patch:
- `_navigateTerminal` uses `Future.microtask` + `addPostFrameCallback`
  redundancy after a release-mode bug where polling stopped but
  `context.go` never fired, leaving the screen visually stuck on
  "menunggu pembayaran"

See requirement/resume-2026-05-15.md for next-day pickup checklist
(mitra release rebuild + S21 Ultra install + retest is the gating item).

Bundles unrelated in-flight Phase 4 §2.x work that was already on disk
(ESP screen removal, USP one-time gate scaffolding, bestie-availability
public route, OTP service edits, Maestro flow tweaks) — kept together
to avoid a partial-rebase mess.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/app.public.js

@@ -11,6 +11,7 @@ import { mitraChatRoutes } from './routes/public/mitra.chat.routes.js'
 import { clientChatRoutes } from './routes/public/client.chat.routes.js'
 import { clientPaymentRoutes } from './routes/public/client.payment.routes.js'
 import { clientMitraAvailabilityRoutes } from './routes/public/client.mitra-availability.routes.js'
+import { publicBestieAvailabilityRoutes } from './routes/public/public.bestie-availability.routes.js'
 import { clientOnboardingRoutes } from './routes/public/client.onboarding.routes.js'
 import { clientSupportRoutes } from './routes/public/client.support.routes.js'
 import { sharedChatRoutes } from './routes/public/shared.chat.routes.js'
@@ -36,6 +37,7 @@ export const buildPublicApp = async () => {
   app.register(clientChatRoutes, { prefix: '/api/client/chat' })
   app.register(clientPaymentRoutes, { prefix: '/api/client/payment-sessions' })
   app.register(clientMitraAvailabilityRoutes, { prefix: '/api/client/mitra-availability' })
+  app.register(publicBestieAvailabilityRoutes, { prefix: '/api/public/bestie' })
   // Phase 4: onboarding-state + support handles. Both are tiny so they live in their
   // own files rather than bloating client.auth.routes / shared.config.routes.
   app.register(clientOnboardingRoutes, { prefix: '/api/client' })

backend/src/routes/public/client.mitra-availability.routes.js

@@ -3,15 +3,17 @@ import { countAvailableMitrasFromCache } from '../../services/mitra-status.servi
 import { UserType } from '../../constants.js'
 
 /**
- * Customer-home availability poll.
+ * Customer-authed availability poll (kept for CC/debug callers that want the
+ * raw count).
  *
- *   GET /api/client/mitra-availability  →  200 { available: bool, count?: number }
+ *   GET /api/client/mitra-availability  →  200 { available: bool, count: number }
  *
- * Hot endpoint by design — polled every 5s per active customer while their home is
- * foregrounded. Backed by a 10s in-memory cache (see mitra-status.service.js) so DB load
+ * The customer home polls `/api/public/bestie/available` instead — that route
+ * is unauthenticated and returns only the boolean, since SHome1st renders
+ * before the user has any JWT (see `requirement/flow_customer.mermaid.md` §1).
+ *
+ * Backed by a 10s in-memory cache (see mitra-status.service.js) so DB load
  * stays bounded regardless of poller count. No rate limit by intent.
- *
- * `count` is included for CC/debug; the customer UI must read only `available`.
  */
 export const clientMitraAvailabilityRoutes = async (app) => {
   app.get('/', { preHandler: [authenticate] }, async (request, reply) => {

backend/src/routes/public/public.bestie-availability.routes.js

@@ -0,0 +1,25 @@
+import { countAvailableMitrasFromCache } from '../../services/mitra-status.service.js'
+
+/**
+ * Public bestie-availability beacon.
+ *
+ *   GET /api/public/bestie/available  →  200 { available: bool }
+ *
+ * Unauthenticated by design: the SHome1st CTA must reflect global availability
+ * BEFORE the user has any JWT (see `requirement/flow_customer.mermaid.md` §1 +
+ * router.dart's "fresh / unauthenticated users land on Home directly" carve-out).
+ *
+ * Output is intentionally a single boolean — no `count`, no IDs, no metadata —
+ * so this endpoint leaks no operational signal beyond "at least one bestie is
+ * online right now". Backed by the same 10s in-memory cache that bounds DB
+ * load regardless of poller count.
+ *
+ * The auth'd `/api/client/mitra-availability` route is kept for CC/debug
+ * callers that need the raw count.
+ */
+export const publicBestieAvailabilityRoutes = async (app) => {
+  app.get('/available', async (_request, reply) => {
+    const { available } = await countAvailableMitrasFromCache()
+    return reply.send({ success: true, data: { available } })
+  })
+}

backend/src/services/extension.service.js

@@ -182,7 +182,7 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
     clearClosureGraceTimer(sessionId)
 
     // Extend the session
-    await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)
+    const extended = await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)
 
     // Resume session
     await sql`UPDATE chat_sessions SET status = ${SessionStatus.ACTIVE} WHERE id = ${extension.session_id}`
@@ -194,11 +194,15 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
       FROM chat_sessions WHERE id = ${extension.session_id}
     `
 
-    // Notify both parties
+    // Notify both parties. Include the freshly-extended `expires_at` so the
+    // customer's local seconds-left ticker can resume immediately — without it,
+    // the client has to wait until the next 60s SESSION_TIMER ping to pick up
+    // the new deadline, leaving the floating expired banner stuck on-screen.
     sendToSessionParticipant(sessionId, UserType.CUSTOMER, {
       type: WsMessage.EXTENSION_RESPONSE,
       accepted: true,
       duration_minutes: extension.requested_duration_minutes,
+      expires_at: extended?.expires_at ?? null,
       via_timeout: viaTimeout,
     })
     sendToSessionParticipant(sessionId, UserType.CUSTOMER, {

backend/src/services/otp.service.js

@@ -22,6 +22,11 @@ const OTP_TTL_MINUTES = 5
 // -------------------------------------------------------------------
 
 const generate6DigitCode = () => {
+  // Dev escape hatch: when OTP_STATIC_CODE is set (6 digits), every stub OTP
+  // returns this exact value. Lets manual testers skip the peek round-trip.
+  // Leave unset in production — real Fazpass owns the code there.
+  const staticCode = process.env.OTP_STATIC_CODE
+  if (staticCode && /^\d{6}$/.test(staticCode)) return staticCode
   // Avoid Math.random for OTP generation — use crypto.randomInt
   return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0')
 }

backend/src/services/pairing.service.js

@@ -527,16 +527,26 @@ export const declinePairingRequest = async (sessionId, mitraId) => {
         pairingTimeouts.delete(sessionId)
       }
 
+      // Intermediate failure: payment stays confirmed so the customer can re-blast
+      // from the S7 timeout CTA. Audit row is still written.
       if (session.payment_session_id) {
-        await failPaymentSession(session.payment_session_id, PairingFailureCause.ALL_MITRAS_REJECTED)
+        const paySession = await getPaymentSession(session.payment_session_id)
+        if (paySession) {
+          await recordIntermediateFailure({
+            paymentSessionId: session.payment_session_id,
+            customerId: session.customer_id,
+            causeTag: PairingFailureCause.ALL_MITRAS_REJECTED,
+            amount: paySession.amount,
+          })
+        }
       }
 
-      // Terminal: customer is in a searching state and the search just ended with no chat.
       await notifyCustomer(session.customer_id, {
         type: WsMessage.PAIRING_FAILED,
         session_id: sessionId,
         payment_session_id: session.payment_session_id,
         cause_tag: PairingFailureCause.ALL_MITRAS_REJECTED,
+        is_terminal: false,
       })
     }
   }
@@ -686,19 +696,27 @@ export const expirePairingRequest = async (sessionId, causeTag = PairingFailureC
     WHERE session_id = ${sessionId} AND response IS NULL
   `
 
-  // Fail the payment session (if any) — terminal.
+  // Intermediate failure: payment session stays `confirmed` so the customer can
+  // re-blast on the same payment from the S7 timeout CTA. Audit row is still
+  // written so the failed-pairing CC view captures every attempt.
   if (session.payment_session_id) {
-    await failPaymentSession(session.payment_session_id, causeTag)
+    const paySession = await getPaymentSession(session.payment_session_id)
+    if (paySession) {
+      await recordIntermediateFailure({
+        paymentSessionId: session.payment_session_id,
+        customerId: session.customer_id,
+        causeTag,
+        amount: paySession.amount,
+      })
+    }
   }
 
-  // Notify customer via WebSocket (FCM fallback). Terminal pairing failure → PAIRING_FAILED
-  // so the client can route to the failed-pairing screen consistently with the other
-  // terminal paths (cancel / all-rejected / payment-expired-mid-search).
   await notifyCustomer(session.customer_id, {
     type: WsMessage.PAIRING_FAILED,
     session_id: sessionId,
     payment_session_id: session.payment_session_id,
     cause_tag: causeTag,
+    is_terminal: false,
   })
 
   // Notify mitras to dismiss (request expired) — independent fan-out, run in parallel.

backend/src/services/payment.service.js

@@ -273,6 +273,7 @@ export const expireStalePaymentSessions = async () => {
         type: WsMessage.PAIRING_FAILED,
         payment_session_id: row.id,
         cause_tag: PairingFailureCause.PAYMENT_SESSION_EXPIRED,
+        is_terminal: true,
       })
       if (!wsSent) {
         await sendPushNotification(UserType.CUSTOMER, row.customer_id, {

backend/test/routes/client.usp-seen.routes.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, beforeEach, afterAll, vi } from 'vitest'
+
+// Keep external sockets / FCM no-op so buildPublic doesn't try to open them.
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(async () => {}),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => false),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { buildPublic } = await import('../helpers/server.js')
+const { createCustomer } = await import('../helpers/fixtures.js')
+const { resetDbHard, db } = await import('../helpers/db.js')
+const { customerJwt, authHeader } = await import('../helpers/jwt.js')
+const {
+  getCustomerById,
+  markCustomerUspSeen,
+} = await import('../../src/services/customer.service.js')
+
+describe('Phase 4 — USP one-time gate', () => {
+  let app
+
+  beforeAll(async () => {
+    app = await buildPublic()
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  beforeEach(async () => {
+    await resetDbHard()
+  })
+
+  describe('migration default', () => {
+    it('new customer row has usp_seen = false', async () => {
+      const c = await createCustomer({ callName: 'New User' })
+      const row = await getCustomerById(c.id)
+      expect(row).toBeTruthy()
+      expect(row.usp_seen).toBe(false)
+    })
+  })
+
+  describe('markCustomerUspSeen() service', () => {
+    it('flips false → true and returns the updated row', async () => {
+      const c = await createCustomer({ callName: 'Marker' })
+      const updated = await markCustomerUspSeen(c.id)
+      expect(updated.usp_seen).toBe(true)
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('is idempotent — second call still returns usp_seen=true, no error', async () => {
+      const c = await createCustomer({ callName: 'Idem' })
+      await markCustomerUspSeen(c.id)
+      const second = await markCustomerUspSeen(c.id)
+      expect(second.usp_seen).toBe(true)
+    })
+  })
+
+  describe('POST /api/client/auth/usp-seen', () => {
+    it('returns 401 when no Authorization header is present', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+      })
+      expect(res.statusCode).toBe(401)
+    })
+
+    it('returns 200 + flips flag for an authed customer', async () => {
+      const c = await createCustomer({ callName: 'Authed' })
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.success).toBe(true)
+      expect(body.data.id).toBe(c.id)
+      expect(body.data.usp_seen).toBe(true)
+
+      // DB persisted
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('rejects a non-customer JWT (mitra) with 403', async () => {
+      // Mint a JWT that says CUSTOMER but the route still asserts type — the
+      // route reads user_type from the JWT claim, so use mitraJwt for negative.
+      const { mitraJwt } = await import('../helpers/jwt.js')
+      const fakeId = '00000000-0000-0000-0000-000000000001'
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(mitraJwt(fakeId)),
+      })
+      expect(res.statusCode).toBe(403)
+    })
+  })
+
+  describe('GET /api/client/auth/me payload', () => {
+    it('includes usp_seen in the response (false for fresh customer)', async () => {
+      const c = await createCustomer({ callName: 'Reader' })
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.data).toHaveProperty('usp_seen')
+      expect(body.data.usp_seen).toBe(false)
+    })
+
+    it('reflects usp_seen=true after the flag has been set', async () => {
+      const c = await createCustomer({ callName: 'Reader2' })
+      await markCustomerUspSeen(c.id)
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      expect(res.json().data.usp_seen).toBe(true)
+    })
+  })
+})

backend/test/services/extension.service.test.js

@@ -0,0 +1,139 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach, vi } from 'vitest'
+
+// Mock the WS plugin (we assert on what extension.service tried to broadcast)
+// and the FCM notification service so tests don't try to reach external APIs.
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => true),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { sendToSessionParticipant } = await import('../../src/plugins/websocket.js')
+const { respondToExtension } = await import('../../src/services/extension.service.js')
+const { createPaymentSession, confirmPaymentSession } = await import('../../src/services/payment.service.js')
+const {
+  WsMessage,
+  SessionStatus,
+  ExtensionStatus,
+} = await import('../../src/constants.js')
+const { db, resetDb, resetAppConfig } = await import('../helpers/db.js')
+const { createCustomer, createMitra } = await import('../helpers/fixtures.js')
+
+describe('extension.service — EXTENSION_RESPONSE payload', () => {
+  let customer
+  let mitra
+
+  beforeAll(async () => {
+    await resetAppConfig()
+  })
+
+  beforeEach(async () => {
+    await resetDb()
+    customer = await createCustomer({ callName: 'ExtCust' })
+    mitra = await createMitra({ callName: 'ExtMitra', isOnline: true })
+    sendToSessionParticipant.mockClear()
+  })
+
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('accepted extension broadcasts EXTENSION_RESPONSE with the new expires_at', async () => {
+    const sql = db()
+
+    // Seed an active chat_sessions row whose timer is about to run out so the
+    // extension push has a meaningful baseline to advance.
+    const baseExpiresAt = new Date(Date.now() + 30_000) // 30s left
+    const [session] = await sql`
+      INSERT INTO chat_sessions (customer_id, mitra_id, status, expires_at, duration_minutes)
+      VALUES (${customer.id}, ${mitra.id}, ${SessionStatus.ACTIVE}, ${baseExpiresAt}, 12)
+      RETURNING id
+    `
+
+    // A confirmed extension payment session (is_extension=true).
+    const extPay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 10,
+      amount: 9000,
+      isExtension: true,
+    })
+    await confirmPaymentSession(extPay.id, customer.id)
+
+    // Pending extension row tied to that payment.
+    const [extension] = await sql`
+      INSERT INTO session_extensions (
+        session_id, requested_duration_minutes, requested_price, status, payment_session_id
+      )
+      VALUES (${session.id}, 10, 9000, ${ExtensionStatus.PENDING}, ${extPay.id})
+      RETURNING id
+    `
+
+    // Act
+    await respondToExtension(extension.id, session.id, mitra.id, true)
+
+    // Find the EXTENSION_RESPONSE call to the customer
+    const respCalls = sendToSessionParticipant.mock.calls.filter(
+      ([, , payload]) => payload?.type === WsMessage.EXTENSION_RESPONSE,
+    )
+    expect(respCalls).toHaveLength(1)
+    const payload = respCalls[0][2]
+    expect(payload.accepted).toBe(true)
+    expect(payload.duration_minutes).toBe(10)
+    expect(payload.expires_at).toBeTruthy()
+
+    // The new expires_at must be ahead of the seeded baseExpiresAt by ~10 min.
+    const newExp = new Date(payload.expires_at).getTime()
+    const baseMs = baseExpiresAt.getTime()
+    const deltaMin = (newExp - baseMs) / 60_000
+    expect(deltaMin).toBeGreaterThan(9.5)
+    expect(deltaMin).toBeLessThan(10.5)
+
+    // DB should reflect the same shift.
+    const [refreshed] = await sql`SELECT expires_at FROM chat_sessions WHERE id = ${session.id}`
+    expect(new Date(refreshed.expires_at).getTime()).toBe(newExp)
+  })
+
+  it('rejected extension broadcasts EXTENSION_RESPONSE without expires_at', async () => {
+    const sql = db()
+
+    const baseExpiresAt = new Date(Date.now() + 30_000)
+    const [session] = await sql`
+      INSERT INTO chat_sessions (customer_id, mitra_id, status, expires_at, duration_minutes)
+      VALUES (${customer.id}, ${mitra.id}, ${SessionStatus.ACTIVE}, ${baseExpiresAt}, 12)
+      RETURNING id
+    `
+    const extPay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 10,
+      amount: 9000,
+      isExtension: true,
+    })
+    await confirmPaymentSession(extPay.id, customer.id)
+    const [extension] = await sql`
+      INSERT INTO session_extensions (
+        session_id, requested_duration_minutes, requested_price, status, payment_session_id
+      )
+      VALUES (${session.id}, 10, 9000, ${ExtensionStatus.PENDING}, ${extPay.id})
+      RETURNING id
+    `
+
+    await respondToExtension(extension.id, session.id, mitra.id, false)
+
+    const respCalls = sendToSessionParticipant.mock.calls.filter(
+      ([, , payload]) => payload?.type === WsMessage.EXTENSION_RESPONSE,
+    )
+    expect(respCalls).toHaveLength(1)
+    const payload = respCalls[0][2]
+    expect(payload.accepted).toBe(false)
+    // Rejected path does not extend the timer, so no expires_at is sent.
+    expect(payload.expires_at).toBeUndefined()
+  })
+})

backend/test/services/pairing.service.test.js

@@ -61,7 +61,7 @@ describe('pairing.service', () => {
     vi.clearAllMocks()
   })
 
-  it('single-recipient general blast → mitra declines → terminates with ALL_MITRAS_REJECTED', async () => {
+  it('single-recipient general blast → mitra declines → retryable ALL_MITRAS_REJECTED, payment stays confirmed', async () => {
     // Arrange: confirmed, non-targeted payment session.
     const pay = await createPaymentSession({
       customerId: customer.id,
@@ -80,7 +80,7 @@ describe('pairing.service', () => {
     // classified as a general-blast all-rejected, NOT a targeted reject.
     await declinePairingRequest(session.id, mitra.id)
 
-    // Assert: pairing_failures row carries ALL_MITRAS_REJECTED, not TARGETED_*.
+    // Assert: pairing_failures audit row carries ALL_MITRAS_REJECTED.
     const sql = db()
     const failures = await sql`
       SELECT cause_tag FROM pairing_failures WHERE payment_session_id = ${pay.id}
@@ -88,16 +88,19 @@ describe('pairing.service', () => {
     expect(failures).toHaveLength(1)
     expect(failures[0].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
 
-    // Payment session is terminal (failed_pairing) — terminal failures consume the payment.
+    // Payment session stays CONFIRMED — the customer can re-blast on the same
+    // payment via the S7 Timeout "coba cari lagi" CTA.
     const [paySession] = await sql`SELECT status FROM payment_sessions WHERE id = ${pay.id}`
-    expect(paySession.status).toBe(PaymentSessionStatus.FAILED_PAIRING)
+    expect(paySession.status).toBe(PaymentSessionStatus.CONFIRMED)
 
-    // Customer was notified with PAIRING_FAILED carrying the same cause tag.
+    // Customer was notified with PAIRING_FAILED carrying is_terminal=false so
+    // the client renders the retryable variant of the S7 timeout screen.
     const pairingFailedCalls = sendToUser.mock.calls.filter(
       ([, , data]) => data?.type === WsMessage.PAIRING_FAILED,
     )
     expect(pairingFailedCalls).toHaveLength(1)
     expect(pairingFailedCalls[0][2].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
+    expect(pairingFailedCalls[0][2].is_terminal).toBe(false)
   })
 
   it('cancelPairingRequest does NOT push PAIRING_FAILED to the customer', async () => {