Phase 4 checkpoint: chat-screen perf refactor + retryable blast-failure + repo-wide dispose-ref guardrail

Chat-screen performance (customer + mitra):
- Parent screens have zero `ref.watch` — only `ref.listen` for side effects
- Body extracted into its own `ConsumerStatefulWidget`; AppBar parts split
  into narrow `.select` consumers (mode, sensitivity, timer)
- Per-second timer ticks routed to dedicated providers
  (`chatRemainingSecondsProvider` + new `mitraChatRemainingSecondsProvider`)
  so WS `session_tick` frames don't invalidate the rest of the chat state

Dispose-in-ref bug fix:
- `home_screen.dart`, `payment_screen.dart`, `mitra_chat_screen.dart` —
  ref-using cleanup moved from `dispose()` to `deactivate()`. Modern
  Riverpod invalidates `ref` the moment `dispose()` runs; the resulting
  silent error corrupts the widget-tree finalize and the next screen
  appears frozen
- `halo_lints` package added at repo root with `no_ref_in_dispose` rule
  to catch this pattern in CI / IDE analysis
- `custom_lint` activated in both apps' `analysis_options.yaml`
  (was installed but never wired in — also brings `riverpod_lint`'s
  `avoid_ref_inside_state_dispose` online)
- CLAUDE.md Pitfalls section added to client_app + mitra_app

Phase 4 §3 retryable blast-failure (Option A):
- Backend `expirePairingRequest` + all-rejected use
  `recordIntermediateFailure` instead of `failPaymentSession` so the
  payment session stays `confirmed` for re-blast
- WS `pairing_failed` payload carries `is_terminal: false` on the
  retryable paths; client parses the flag and exposes `retryBlast()`
- "Coba cari lagi" CTA on S7 Timeout now re-blasts on the same payment
- Pairing service test updated to reflect the new semantics

Customer waiting-payment screen navigation patch:
- `_navigateTerminal` uses `Future.microtask` + `addPostFrameCallback`
  redundancy after a release-mode bug where polling stopped but
  `context.go` never fired, leaving the screen visually stuck on
  "menunggu pembayaran"

See requirement/resume-2026-05-15.md for next-day pickup checklist
(mitra release rebuild + S21 Ultra install + retest is the gating item).

Bundles unrelated in-flight Phase 4 §2.x work that was already on disk
(ESP screen removal, USP one-time gate scaffolding, bestie-availability
public route, OTP service edits, Maestro flow tweaks) — kept together
to avoid a partial-rebase mess.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/routes/client.usp-seen.routes.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, beforeEach, afterAll, vi } from 'vitest'
+
+// Keep external sockets / FCM no-op so buildPublic doesn't try to open them.
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(async () => {}),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => false),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { buildPublic } = await import('../helpers/server.js')
+const { createCustomer } = await import('../helpers/fixtures.js')
+const { resetDbHard, db } = await import('../helpers/db.js')
+const { customerJwt, authHeader } = await import('../helpers/jwt.js')
+const {
+  getCustomerById,
+  markCustomerUspSeen,
+} = await import('../../src/services/customer.service.js')
+
+describe('Phase 4 — USP one-time gate', () => {
+  let app
+
+  beforeAll(async () => {
+    app = await buildPublic()
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  beforeEach(async () => {
+    await resetDbHard()
+  })
+
+  describe('migration default', () => {
+    it('new customer row has usp_seen = false', async () => {
+      const c = await createCustomer({ callName: 'New User' })
+      const row = await getCustomerById(c.id)
+      expect(row).toBeTruthy()
+      expect(row.usp_seen).toBe(false)
+    })
+  })
+
+  describe('markCustomerUspSeen() service', () => {
+    it('flips false → true and returns the updated row', async () => {
+      const c = await createCustomer({ callName: 'Marker' })
+      const updated = await markCustomerUspSeen(c.id)
+      expect(updated.usp_seen).toBe(true)
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('is idempotent — second call still returns usp_seen=true, no error', async () => {
+      const c = await createCustomer({ callName: 'Idem' })
+      await markCustomerUspSeen(c.id)
+      const second = await markCustomerUspSeen(c.id)
+      expect(second.usp_seen).toBe(true)
+    })
+  })
+
+  describe('POST /api/client/auth/usp-seen', () => {
+    it('returns 401 when no Authorization header is present', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+      })
+      expect(res.statusCode).toBe(401)
+    })
+
+    it('returns 200 + flips flag for an authed customer', async () => {
+      const c = await createCustomer({ callName: 'Authed' })
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.success).toBe(true)
+      expect(body.data.id).toBe(c.id)
+      expect(body.data.usp_seen).toBe(true)
+
+      // DB persisted
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('rejects a non-customer JWT (mitra) with 403', async () => {
+      // Mint a JWT that says CUSTOMER but the route still asserts type — the
+      // route reads user_type from the JWT claim, so use mitraJwt for negative.
+      const { mitraJwt } = await import('../helpers/jwt.js')
+      const fakeId = '00000000-0000-0000-0000-000000000001'
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(mitraJwt(fakeId)),
+      })
+      expect(res.statusCode).toBe(403)
+    })
+  })
+
+  describe('GET /api/client/auth/me payload', () => {
+    it('includes usp_seen in the response (false for fresh customer)', async () => {
+      const c = await createCustomer({ callName: 'Reader' })
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.data).toHaveProperty('usp_seen')
+      expect(body.data.usp_seen).toBe(false)
+    })
+
+    it('reflects usp_seen=true after the flag has been set', async () => {
+      const c = await createCustomer({ callName: 'Reader2' })
+      await markCustomerUspSeen(c.id)
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      expect(res.json().data.usp_seen).toBe(true)
+    })
+  })
+})

backend/test/services/extension.service.test.js

@@ -0,0 +1,139 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach, vi } from 'vitest'
+
+// Mock the WS plugin (we assert on what extension.service tried to broadcast)
+// and the FCM notification service so tests don't try to reach external APIs.
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => true),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { sendToSessionParticipant } = await import('../../src/plugins/websocket.js')
+const { respondToExtension } = await import('../../src/services/extension.service.js')
+const { createPaymentSession, confirmPaymentSession } = await import('../../src/services/payment.service.js')
+const {
+  WsMessage,
+  SessionStatus,
+  ExtensionStatus,
+} = await import('../../src/constants.js')
+const { db, resetDb, resetAppConfig } = await import('../helpers/db.js')
+const { createCustomer, createMitra } = await import('../helpers/fixtures.js')
+
+describe('extension.service — EXTENSION_RESPONSE payload', () => {
+  let customer
+  let mitra
+
+  beforeAll(async () => {
+    await resetAppConfig()
+  })
+
+  beforeEach(async () => {
+    await resetDb()
+    customer = await createCustomer({ callName: 'ExtCust' })
+    mitra = await createMitra({ callName: 'ExtMitra', isOnline: true })
+    sendToSessionParticipant.mockClear()
+  })
+
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('accepted extension broadcasts EXTENSION_RESPONSE with the new expires_at', async () => {
+    const sql = db()
+
+    // Seed an active chat_sessions row whose timer is about to run out so the
+    // extension push has a meaningful baseline to advance.
+    const baseExpiresAt = new Date(Date.now() + 30_000) // 30s left
+    const [session] = await sql`
+      INSERT INTO chat_sessions (customer_id, mitra_id, status, expires_at, duration_minutes)
+      VALUES (${customer.id}, ${mitra.id}, ${SessionStatus.ACTIVE}, ${baseExpiresAt}, 12)
+      RETURNING id
+    `
+
+    // A confirmed extension payment session (is_extension=true).
+    const extPay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 10,
+      amount: 9000,
+      isExtension: true,
+    })
+    await confirmPaymentSession(extPay.id, customer.id)
+
+    // Pending extension row tied to that payment.
+    const [extension] = await sql`
+      INSERT INTO session_extensions (
+        session_id, requested_duration_minutes, requested_price, status, payment_session_id
+      )
+      VALUES (${session.id}, 10, 9000, ${ExtensionStatus.PENDING}, ${extPay.id})
+      RETURNING id
+    `
+
+    // Act
+    await respondToExtension(extension.id, session.id, mitra.id, true)
+
+    // Find the EXTENSION_RESPONSE call to the customer
+    const respCalls = sendToSessionParticipant.mock.calls.filter(
+      ([, , payload]) => payload?.type === WsMessage.EXTENSION_RESPONSE,
+    )
+    expect(respCalls).toHaveLength(1)
+    const payload = respCalls[0][2]
+    expect(payload.accepted).toBe(true)
+    expect(payload.duration_minutes).toBe(10)
+    expect(payload.expires_at).toBeTruthy()
+
+    // The new expires_at must be ahead of the seeded baseExpiresAt by ~10 min.
+    const newExp = new Date(payload.expires_at).getTime()
+    const baseMs = baseExpiresAt.getTime()
+    const deltaMin = (newExp - baseMs) / 60_000
+    expect(deltaMin).toBeGreaterThan(9.5)
+    expect(deltaMin).toBeLessThan(10.5)
+
+    // DB should reflect the same shift.
+    const [refreshed] = await sql`SELECT expires_at FROM chat_sessions WHERE id = ${session.id}`
+    expect(new Date(refreshed.expires_at).getTime()).toBe(newExp)
+  })
+
+  it('rejected extension broadcasts EXTENSION_RESPONSE without expires_at', async () => {
+    const sql = db()
+
+    const baseExpiresAt = new Date(Date.now() + 30_000)
+    const [session] = await sql`
+      INSERT INTO chat_sessions (customer_id, mitra_id, status, expires_at, duration_minutes)
+      VALUES (${customer.id}, ${mitra.id}, ${SessionStatus.ACTIVE}, ${baseExpiresAt}, 12)
+      RETURNING id
+    `
+    const extPay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 10,
+      amount: 9000,
+      isExtension: true,
+    })
+    await confirmPaymentSession(extPay.id, customer.id)
+    const [extension] = await sql`
+      INSERT INTO session_extensions (
+        session_id, requested_duration_minutes, requested_price, status, payment_session_id
+      )
+      VALUES (${session.id}, 10, 9000, ${ExtensionStatus.PENDING}, ${extPay.id})
+      RETURNING id
+    `
+
+    await respondToExtension(extension.id, session.id, mitra.id, false)
+
+    const respCalls = sendToSessionParticipant.mock.calls.filter(
+      ([, , payload]) => payload?.type === WsMessage.EXTENSION_RESPONSE,
+    )
+    expect(respCalls).toHaveLength(1)
+    const payload = respCalls[0][2]
+    expect(payload.accepted).toBe(false)
+    // Rejected path does not extend the timer, so no expires_at is sent.
+    expect(payload.expires_at).toBeUndefined()
+  })
+})

backend/test/services/pairing.service.test.js

@@ -61,7 +61,7 @@ describe('pairing.service', () => {
     vi.clearAllMocks()
   })
 
-  it('single-recipient general blast → mitra declines → terminates with ALL_MITRAS_REJECTED', async () => {
+  it('single-recipient general blast → mitra declines → retryable ALL_MITRAS_REJECTED, payment stays confirmed', async () => {
     // Arrange: confirmed, non-targeted payment session.
     const pay = await createPaymentSession({
       customerId: customer.id,
@@ -80,7 +80,7 @@ describe('pairing.service', () => {
     // classified as a general-blast all-rejected, NOT a targeted reject.
     await declinePairingRequest(session.id, mitra.id)
 
-    // Assert: pairing_failures row carries ALL_MITRAS_REJECTED, not TARGETED_*.
+    // Assert: pairing_failures audit row carries ALL_MITRAS_REJECTED.
     const sql = db()
     const failures = await sql`
       SELECT cause_tag FROM pairing_failures WHERE payment_session_id = ${pay.id}
@@ -88,16 +88,19 @@ describe('pairing.service', () => {
     expect(failures).toHaveLength(1)
     expect(failures[0].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
 
-    // Payment session is terminal (failed_pairing) — terminal failures consume the payment.
+    // Payment session stays CONFIRMED — the customer can re-blast on the same
+    // payment via the S7 Timeout "coba cari lagi" CTA.
     const [paySession] = await sql`SELECT status FROM payment_sessions WHERE id = ${pay.id}`
-    expect(paySession.status).toBe(PaymentSessionStatus.FAILED_PAIRING)
+    expect(paySession.status).toBe(PaymentSessionStatus.CONFIRMED)
 
-    // Customer was notified with PAIRING_FAILED carrying the same cause tag.
+    // Customer was notified with PAIRING_FAILED carrying is_terminal=false so
+    // the client renders the retryable variant of the S7 timeout screen.
     const pairingFailedCalls = sendToUser.mock.calls.filter(
       ([, , data]) => data?.type === WsMessage.PAIRING_FAILED,
     )
     expect(pairingFailedCalls).toHaveLength(1)
     expect(pairingFailedCalls[0][2].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
+    expect(pairingFailedCalls[0][2].is_terminal).toBe(false)
   })
 
   it('cancelPairingRequest does NOT push PAIRING_FAILED to the customer', async () => {