Phase 4 checkpoint: chat-screen perf refactor + retryable blast-failure + repo-wide dispose-ref guardrail

Chat-screen performance (customer + mitra): - Parent screens have zero `ref.watch` — only `ref.listen` for side effects - Body extracted into its own `ConsumerStatefulWidget`; AppBar parts split into narrow `.select` consumers (mode, sensitivity, timer) - Per-second timer ticks routed to dedicated providers (`chatRemainingSecondsProvider` + new `mitraChatRemainingSecondsProvider`) so WS `session_tick` frames don't invalidate the rest of the chat state Dispose-in-ref bug fix: - `home_screen.dart`, `payment_screen.dart`, `mitra_chat_screen.dart` — ref-using cleanup moved from `dispose()` to `deactivate()`. Modern Riverpod invalidates `ref` the moment `dispose()` runs; the resulting silent error corrupts the widget-tree finalize and the next screen appears frozen - `halo_lints` package added at repo root with `no_ref_in_dispose` rule to catch this pattern in CI / IDE analysis - `custom_lint` activated in both apps' `analysis_options.yaml` (was installed but never wired in — also brings `riverpod_lint`'s `avoid_ref_inside_state_dispose` online) - CLAUDE.md Pitfalls section added to client_app + mitra_app Phase 4 §3 retryable blast-failure (Option A): - Backend `expirePairingRequest` + all-rejected use `recordIntermediateFailure` instead of `failPaymentSession` so the payment session stays `confirmed` for re-blast - WS `pairing_failed` payload carries `is_terminal: false` on the retryable paths; client parses the flag and exposes `retryBlast()` - "Coba cari lagi" CTA on S7 Timeout now re-blasts on the same payment - Pairing service test updated to reflect the new semantics Customer waiting-payment screen navigation patch: - `_navigateTerminal` uses `Future.microtask` + `addPostFrameCallback` redundancy after a release-mode bug where polling stopped but `context.go` never fired, leaving the screen visually stuck on "menunggu pembayaran" See requirement/resume-2026-05-15.md for next-day pickup checklist (mitra release rebuild + S21 Ultra install + retest is the gating item). Bundles unrelated in-flight Phase 4 §2.x work that was already on disk (ESP screen removal, USP one-time gate scaffolding, bestie-availability public route, OTP service edits, Maestro flow tweaks) — kept together to avoid a partial-rebase mess. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 19:12:34 +08:00
parent a48f108fc0
commit a09f37135c
56 changed files with 3417 additions and 1093 deletions
--- a/backend/src/app.public.js
+++ b/backend/src/app.public.js
@@ -11,6 +11,7 @@ import { mitraChatRoutes } from './routes/public/mitra.chat.routes.js'
 import { clientChatRoutes } from './routes/public/client.chat.routes.js'
 import { clientPaymentRoutes } from './routes/public/client.payment.routes.js'
 import { clientMitraAvailabilityRoutes } from './routes/public/client.mitra-availability.routes.js'
+import { publicBestieAvailabilityRoutes } from './routes/public/public.bestie-availability.routes.js'
 import { clientOnboardingRoutes } from './routes/public/client.onboarding.routes.js'
 import { clientSupportRoutes } from './routes/public/client.support.routes.js'
 import { sharedChatRoutes } from './routes/public/shared.chat.routes.js'
@@ -36,6 +37,7 @@ export const buildPublicApp = async () => {
  app.register(clientChatRoutes, { prefix: '/api/client/chat' })
  app.register(clientPaymentRoutes, { prefix: '/api/client/payment-sessions' })
  app.register(clientMitraAvailabilityRoutes, { prefix: '/api/client/mitra-availability' })
+  app.register(publicBestieAvailabilityRoutes, { prefix: '/api/public/bestie' })
  // Phase 4: onboarding-state + support handles. Both are tiny so they live in their
  // own files rather than bloating client.auth.routes / shared.config.routes.
  app.register(clientOnboardingRoutes, { prefix: '/api/client' })
--- a/backend/src/routes/public/client.mitra-availability.routes.js
+++ b/backend/src/routes/public/client.mitra-availability.routes.js
@@ -3,15 +3,17 @@ import { countAvailableMitrasFromCache } from '../../services/mitra-status.servi
 import { UserType } from '../../constants.js'

 /**
- * Customer-home availability poll.
+ * Customer-authed availability poll (kept for CC/debug callers that want the
+ * raw count).
 *
- *   GET /api/client/mitra-availability  →  200 { available: bool, count?: number }
+ *   GET /api/client/mitra-availability  →  200 { available: bool, count: number }
 *
- * Hot endpoint by design — polled every 5s per active customer while their home is
- * foregrounded. Backed by a 10s in-memory cache (see mitra-status.service.js) so DB load
+ * The customer home polls `/api/public/bestie/available` instead — that route
+ * is unauthenticated and returns only the boolean, since SHome1st renders
+ * before the user has any JWT (see `requirement/flow_customer.mermaid.md` §1).
+ *
+ * Backed by a 10s in-memory cache (see mitra-status.service.js) so DB load
 * stays bounded regardless of poller count. No rate limit by intent.
- *
- * `count` is included for CC/debug; the customer UI must read only `available`.
 */
 export const clientMitraAvailabilityRoutes = async (app) => {
  app.get('/', { preHandler: [authenticate] }, async (request, reply) => {
--- a/backend/src/routes/public/public.bestie-availability.routes.js
+++ b/backend/src/routes/public/public.bestie-availability.routes.js
@@ -0,0 +1,25 @@
+import { countAvailableMitrasFromCache } from '../../services/mitra-status.service.js'
+
+/**
+ * Public bestie-availability beacon.
+ *
+ *   GET /api/public/bestie/available  →  200 { available: bool }
+ *
+ * Unauthenticated by design: the SHome1st CTA must reflect global availability
+ * BEFORE the user has any JWT (see `requirement/flow_customer.mermaid.md` §1 +
+ * router.dart's "fresh / unauthenticated users land on Home directly" carve-out).
+ *
+ * Output is intentionally a single boolean — no `count`, no IDs, no metadata —
+ * so this endpoint leaks no operational signal beyond "at least one bestie is
+ * online right now". Backed by the same 10s in-memory cache that bounds DB
+ * load regardless of poller count.
+ *
+ * The auth'd `/api/client/mitra-availability` route is kept for CC/debug
+ * callers that need the raw count.
+ */
+export const publicBestieAvailabilityRoutes = async (app) => {
+  app.get('/available', async (_request, reply) => {
+    const { available } = await countAvailableMitrasFromCache()
+    return reply.send({ success: true, data: { available } })
+  })
+}
--- a/backend/src/services/extension.service.js
+++ b/backend/src/services/extension.service.js
@@ -182,7 +182,7 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
    clearClosureGraceTimer(sessionId)

    // Extend the session
-    await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)
+    const extended = await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)

    // Resume session
    await sql`UPDATE chat_sessions SET status = ${SessionStatus.ACTIVE} WHERE id = ${extension.session_id}`
@@ -194,11 +194,15 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
      FROM chat_sessions WHERE id = ${extension.session_id}
    `

-    // Notify both parties
+    // Notify both parties. Include the freshly-extended `expires_at` so the
+    // customer's local seconds-left ticker can resume immediately — without it,
+    // the client has to wait until the next 60s SESSION_TIMER ping to pick up
+    // the new deadline, leaving the floating expired banner stuck on-screen.
    sendToSessionParticipant(sessionId, UserType.CUSTOMER, {
      type: WsMessage.EXTENSION_RESPONSE,
      accepted: true,
      duration_minutes: extension.requested_duration_minutes,
+      expires_at: extended?.expires_at ?? null,
      via_timeout: viaTimeout,
    })
    sendToSessionParticipant(sessionId, UserType.CUSTOMER, {
--- a/backend/src/services/otp.service.js
+++ b/backend/src/services/otp.service.js
@@ -22,6 +22,11 @@ const OTP_TTL_MINUTES = 5
 // -------------------------------------------------------------------

 const generate6DigitCode = () => {
+  // Dev escape hatch: when OTP_STATIC_CODE is set (6 digits), every stub OTP
+  // returns this exact value. Lets manual testers skip the peek round-trip.
+  // Leave unset in production — real Fazpass owns the code there.
+  const staticCode = process.env.OTP_STATIC_CODE
+  if (staticCode && /^\d{6}$/.test(staticCode)) return staticCode
  // Avoid Math.random for OTP generation — use crypto.randomInt
  return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0')
 }
--- a/backend/src/services/pairing.service.js
+++ b/backend/src/services/pairing.service.js
@@ -527,16 +527,26 @@ export const declinePairingRequest = async (sessionId, mitraId) => {
        pairingTimeouts.delete(sessionId)
      }

+      // Intermediate failure: payment stays confirmed so the customer can re-blast
+      // from the S7 timeout CTA. Audit row is still written.
      if (session.payment_session_id) {
-        await failPaymentSession(session.payment_session_id, PairingFailureCause.ALL_MITRAS_REJECTED)
+        const paySession = await getPaymentSession(session.payment_session_id)
+        if (paySession) {
+          await recordIntermediateFailure({
+            paymentSessionId: session.payment_session_id,
+            customerId: session.customer_id,
+            causeTag: PairingFailureCause.ALL_MITRAS_REJECTED,
+            amount: paySession.amount,
+          })
+        }
      }

-      // Terminal: customer is in a searching state and the search just ended with no chat.
      await notifyCustomer(session.customer_id, {
        type: WsMessage.PAIRING_FAILED,
        session_id: sessionId,
        payment_session_id: session.payment_session_id,
        cause_tag: PairingFailureCause.ALL_MITRAS_REJECTED,
+        is_terminal: false,
      })
    }
  }
@@ -686,19 +696,27 @@ export const expirePairingRequest = async (sessionId, causeTag = PairingFailureC
    WHERE session_id = ${sessionId} AND response IS NULL
  `

-  // Fail the payment session (if any) — terminal.
+  // Intermediate failure: payment session stays `confirmed` so the customer can
+  // re-blast on the same payment from the S7 timeout CTA. Audit row is still
+  // written so the failed-pairing CC view captures every attempt.
  if (session.payment_session_id) {
-    await failPaymentSession(session.payment_session_id, causeTag)
+    const paySession = await getPaymentSession(session.payment_session_id)
+    if (paySession) {
+      await recordIntermediateFailure({
+        paymentSessionId: session.payment_session_id,
+        customerId: session.customer_id,
+        causeTag,
+        amount: paySession.amount,
+      })
+    }
  }

-  // Notify customer via WebSocket (FCM fallback). Terminal pairing failure → PAIRING_FAILED
-  // so the client can route to the failed-pairing screen consistently with the other
-  // terminal paths (cancel / all-rejected / payment-expired-mid-search).
  await notifyCustomer(session.customer_id, {
    type: WsMessage.PAIRING_FAILED,
    session_id: sessionId,
    payment_session_id: session.payment_session_id,
    cause_tag: causeTag,
+    is_terminal: false,
  })

  // Notify mitras to dismiss (request expired) — independent fan-out, run in parallel.
--- a/backend/src/services/payment.service.js
+++ b/backend/src/services/payment.service.js
@@ -273,6 +273,7 @@ export const expireStalePaymentSessions = async () => {
        type: WsMessage.PAIRING_FAILED,
        payment_session_id: row.id,
        cause_tag: PairingFailureCause.PAYMENT_SESSION_EXPIRED,
+        is_terminal: true,
      })
      if (!wsSent) {
        await sendPushNotification(UserType.CUSTOMER, row.customer_id, {