Phase 4 checkpoint: chat-screen perf refactor + retryable blast-failure + repo-wide dispose-ref guardrail

Chat-screen performance (customer + mitra):
- Parent screens have zero `ref.watch` — only `ref.listen` for side effects
- Body extracted into its own `ConsumerStatefulWidget`; AppBar parts split
  into narrow `.select` consumers (mode, sensitivity, timer)
- Per-second timer ticks routed to dedicated providers
  (`chatRemainingSecondsProvider` + new `mitraChatRemainingSecondsProvider`)
  so WS `session_tick` frames don't invalidate the rest of the chat state

Dispose-in-ref bug fix:
- `home_screen.dart`, `payment_screen.dart`, `mitra_chat_screen.dart` —
  ref-using cleanup moved from `dispose()` to `deactivate()`. Modern
  Riverpod invalidates `ref` the moment `dispose()` runs; the resulting
  silent error corrupts the widget-tree finalize and the next screen
  appears frozen
- `halo_lints` package added at repo root with `no_ref_in_dispose` rule
  to catch this pattern in CI / IDE analysis
- `custom_lint` activated in both apps' `analysis_options.yaml`
  (was installed but never wired in — also brings `riverpod_lint`'s
  `avoid_ref_inside_state_dispose` online)
- CLAUDE.md Pitfalls section added to client_app + mitra_app

Phase 4 §3 retryable blast-failure (Option A):
- Backend `expirePairingRequest` + all-rejected use
  `recordIntermediateFailure` instead of `failPaymentSession` so the
  payment session stays `confirmed` for re-blast
- WS `pairing_failed` payload carries `is_terminal: false` on the
  retryable paths; client parses the flag and exposes `retryBlast()`
- "Coba cari lagi" CTA on S7 Timeout now re-blasts on the same payment
- Pairing service test updated to reflect the new semantics

Customer waiting-payment screen navigation patch:
- `_navigateTerminal` uses `Future.microtask` + `addPostFrameCallback`
  redundancy after a release-mode bug where polling stopped but
  `context.go` never fired, leaving the screen visually stuck on
  "menunggu pembayaran"

See requirement/resume-2026-05-15.md for next-day pickup checklist
(mitra release rebuild + S21 Ultra install + retest is the gating item).

Bundles unrelated in-flight Phase 4 §2.x work that was already on disk
(ESP screen removal, USP one-time gate scaffolding, bestie-availability
public route, OTP service edits, Maestro flow tweaks) — kept together
to avoid a partial-rebase mess.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/services/extension.service.js

@@ -182,7 +182,7 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
     clearClosureGraceTimer(sessionId)
 
     // Extend the session
-    await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)
+    const extended = await extendSessionTimer(extension.session_id, extension.requested_duration_minutes)
 
     // Resume session
     await sql`UPDATE chat_sessions SET status = ${SessionStatus.ACTIVE} WHERE id = ${extension.session_id}`
@@ -194,11 +194,15 @@ const finalizeExtension = async (extensionId, sessionId, accepted, viaTimeout) =
       FROM chat_sessions WHERE id = ${extension.session_id}
     `
 
-    // Notify both parties
+    // Notify both parties. Include the freshly-extended `expires_at` so the
+    // customer's local seconds-left ticker can resume immediately — without it,
+    // the client has to wait until the next 60s SESSION_TIMER ping to pick up
+    // the new deadline, leaving the floating expired banner stuck on-screen.
     sendToSessionParticipant(sessionId, UserType.CUSTOMER, {
       type: WsMessage.EXTENSION_RESPONSE,
       accepted: true,
       duration_minutes: extension.requested_duration_minutes,
+      expires_at: extended?.expires_at ?? null,
       via_timeout: viaTimeout,
     })
     sendToSessionParticipant(sessionId, UserType.CUSTOMER, {

backend/src/services/otp.service.js

@@ -22,6 +22,11 @@ const OTP_TTL_MINUTES = 5
 // -------------------------------------------------------------------
 
 const generate6DigitCode = () => {
+  // Dev escape hatch: when OTP_STATIC_CODE is set (6 digits), every stub OTP
+  // returns this exact value. Lets manual testers skip the peek round-trip.
+  // Leave unset in production — real Fazpass owns the code there.
+  const staticCode = process.env.OTP_STATIC_CODE
+  if (staticCode && /^\d{6}$/.test(staticCode)) return staticCode
   // Avoid Math.random for OTP generation — use crypto.randomInt
   return String(crypto.randomInt(0, 1_000_000)).padStart(6, '0')
 }

backend/src/services/pairing.service.js

@@ -527,16 +527,26 @@ export const declinePairingRequest = async (sessionId, mitraId) => {
         pairingTimeouts.delete(sessionId)
       }
 
+      // Intermediate failure: payment stays confirmed so the customer can re-blast
+      // from the S7 timeout CTA. Audit row is still written.
       if (session.payment_session_id) {
-        await failPaymentSession(session.payment_session_id, PairingFailureCause.ALL_MITRAS_REJECTED)
+        const paySession = await getPaymentSession(session.payment_session_id)
+        if (paySession) {
+          await recordIntermediateFailure({
+            paymentSessionId: session.payment_session_id,
+            customerId: session.customer_id,
+            causeTag: PairingFailureCause.ALL_MITRAS_REJECTED,
+            amount: paySession.amount,
+          })
+        }
       }
 
-      // Terminal: customer is in a searching state and the search just ended with no chat.
       await notifyCustomer(session.customer_id, {
         type: WsMessage.PAIRING_FAILED,
         session_id: sessionId,
         payment_session_id: session.payment_session_id,
         cause_tag: PairingFailureCause.ALL_MITRAS_REJECTED,
+        is_terminal: false,
       })
     }
   }
@@ -686,19 +696,27 @@ export const expirePairingRequest = async (sessionId, causeTag = PairingFailureC
     WHERE session_id = ${sessionId} AND response IS NULL
   `
 
-  // Fail the payment session (if any) — terminal.
+  // Intermediate failure: payment session stays `confirmed` so the customer can
+  // re-blast on the same payment from the S7 timeout CTA. Audit row is still
+  // written so the failed-pairing CC view captures every attempt.
   if (session.payment_session_id) {
-    await failPaymentSession(session.payment_session_id, causeTag)
+    const paySession = await getPaymentSession(session.payment_session_id)
+    if (paySession) {
+      await recordIntermediateFailure({
+        paymentSessionId: session.payment_session_id,
+        customerId: session.customer_id,
+        causeTag,
+        amount: paySession.amount,
+      })
+    }
   }
 
-  // Notify customer via WebSocket (FCM fallback). Terminal pairing failure → PAIRING_FAILED
-  // so the client can route to the failed-pairing screen consistently with the other
-  // terminal paths (cancel / all-rejected / payment-expired-mid-search).
   await notifyCustomer(session.customer_id, {
     type: WsMessage.PAIRING_FAILED,
     session_id: sessionId,
     payment_session_id: session.payment_session_id,
     cause_tag: causeTag,
+    is_terminal: false,
   })
 
   // Notify mitras to dismiss (request expired) — independent fan-out, run in parallel.

backend/src/services/payment.service.js

@@ -273,6 +273,7 @@ export const expireStalePaymentSessions = async () => {
         type: WsMessage.PAIRING_FAILED,
         payment_session_id: row.id,
         cause_tag: PairingFailureCause.PAYMENT_SESSION_EXPIRED,
+        is_terminal: true,
       })
       if (!wsSent) {
         await sendPushNotification(UserType.CUSTOMER, row.customer_id, {