Phase 4 checkpoint: chat-screen perf refactor + retryable blast-failure + repo-wide dispose-ref guardrail

Chat-screen performance (customer + mitra):
- Parent screens have zero `ref.watch` — only `ref.listen` for side effects
- Body extracted into its own `ConsumerStatefulWidget`; AppBar parts split
  into narrow `.select` consumers (mode, sensitivity, timer)
- Per-second timer ticks routed to dedicated providers
  (`chatRemainingSecondsProvider` + new `mitraChatRemainingSecondsProvider`)
  so WS `session_tick` frames don't invalidate the rest of the chat state

Dispose-in-ref bug fix:
- `home_screen.dart`, `payment_screen.dart`, `mitra_chat_screen.dart` —
  ref-using cleanup moved from `dispose()` to `deactivate()`. Modern
  Riverpod invalidates `ref` the moment `dispose()` runs; the resulting
  silent error corrupts the widget-tree finalize and the next screen
  appears frozen
- `halo_lints` package added at repo root with `no_ref_in_dispose` rule
  to catch this pattern in CI / IDE analysis
- `custom_lint` activated in both apps' `analysis_options.yaml`
  (was installed but never wired in — also brings `riverpod_lint`'s
  `avoid_ref_inside_state_dispose` online)
- CLAUDE.md Pitfalls section added to client_app + mitra_app

Phase 4 §3 retryable blast-failure (Option A):
- Backend `expirePairingRequest` + all-rejected use
  `recordIntermediateFailure` instead of `failPaymentSession` so the
  payment session stays `confirmed` for re-blast
- WS `pairing_failed` payload carries `is_terminal: false` on the
  retryable paths; client parses the flag and exposes `retryBlast()`
- "Coba cari lagi" CTA on S7 Timeout now re-blasts on the same payment
- Pairing service test updated to reflect the new semantics

Customer waiting-payment screen navigation patch:
- `_navigateTerminal` uses `Future.microtask` + `addPostFrameCallback`
  redundancy after a release-mode bug where polling stopped but
  `context.go` never fired, leaving the screen visually stuck on
  "menunggu pembayaran"

See requirement/resume-2026-05-15.md for next-day pickup checklist
(mitra release rebuild + S21 Ultra install + retest is the gating item).

Bundles unrelated in-flight Phase 4 §2.x work that was already on disk
(ESP screen removal, USP one-time gate scaffolding, bestie-availability
public route, OTP service edits, Maestro flow tweaks) — kept together
to avoid a partial-rebase mess.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/routes/client.usp-seen.routes.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, beforeEach, afterAll, vi } from 'vitest'
+
+// Keep external sockets / FCM no-op so buildPublic doesn't try to open them.
+vi.mock('../../src/plugins/websocket.js', () => ({
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(async () => {}),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => false),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+const { buildPublic } = await import('../helpers/server.js')
+const { createCustomer } = await import('../helpers/fixtures.js')
+const { resetDbHard, db } = await import('../helpers/db.js')
+const { customerJwt, authHeader } = await import('../helpers/jwt.js')
+const {
+  getCustomerById,
+  markCustomerUspSeen,
+} = await import('../../src/services/customer.service.js')
+
+describe('Phase 4 — USP one-time gate', () => {
+  let app
+
+  beforeAll(async () => {
+    app = await buildPublic()
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  beforeEach(async () => {
+    await resetDbHard()
+  })
+
+  describe('migration default', () => {
+    it('new customer row has usp_seen = false', async () => {
+      const c = await createCustomer({ callName: 'New User' })
+      const row = await getCustomerById(c.id)
+      expect(row).toBeTruthy()
+      expect(row.usp_seen).toBe(false)
+    })
+  })
+
+  describe('markCustomerUspSeen() service', () => {
+    it('flips false → true and returns the updated row', async () => {
+      const c = await createCustomer({ callName: 'Marker' })
+      const updated = await markCustomerUspSeen(c.id)
+      expect(updated.usp_seen).toBe(true)
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('is idempotent — second call still returns usp_seen=true, no error', async () => {
+      const c = await createCustomer({ callName: 'Idem' })
+      await markCustomerUspSeen(c.id)
+      const second = await markCustomerUspSeen(c.id)
+      expect(second.usp_seen).toBe(true)
+    })
+  })
+
+  describe('POST /api/client/auth/usp-seen', () => {
+    it('returns 401 when no Authorization header is present', async () => {
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+      })
+      expect(res.statusCode).toBe(401)
+    })
+
+    it('returns 200 + flips flag for an authed customer', async () => {
+      const c = await createCustomer({ callName: 'Authed' })
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.success).toBe(true)
+      expect(body.data.id).toBe(c.id)
+      expect(body.data.usp_seen).toBe(true)
+
+      // DB persisted
+      const reread = await getCustomerById(c.id)
+      expect(reread.usp_seen).toBe(true)
+    })
+
+    it('rejects a non-customer JWT (mitra) with 403', async () => {
+      // Mint a JWT that says CUSTOMER but the route still asserts type — the
+      // route reads user_type from the JWT claim, so use mitraJwt for negative.
+      const { mitraJwt } = await import('../helpers/jwt.js')
+      const fakeId = '00000000-0000-0000-0000-000000000001'
+      const res = await app.inject({
+        method: 'POST',
+        url: '/api/client/auth/usp-seen',
+        headers: authHeader(mitraJwt(fakeId)),
+      })
+      expect(res.statusCode).toBe(403)
+    })
+  })
+
+  describe('GET /api/client/auth/me payload', () => {
+    it('includes usp_seen in the response (false for fresh customer)', async () => {
+      const c = await createCustomer({ callName: 'Reader' })
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      const body = res.json()
+      expect(body.data).toHaveProperty('usp_seen')
+      expect(body.data.usp_seen).toBe(false)
+    })
+
+    it('reflects usp_seen=true after the flag has been set', async () => {
+      const c = await createCustomer({ callName: 'Reader2' })
+      await markCustomerUspSeen(c.id)
+      const res = await app.inject({
+        method: 'GET',
+        url: '/api/client/auth/me',
+        headers: authHeader(customerJwt(c.id)),
+      })
+      expect(res.statusCode).toBe(200)
+      expect(res.json().data.usp_seen).toBe(true)
+    })
+  })
+})