Phase 3.7: paid pairing flow + returning chat + extension flip

- Backend: payment_sessions + pairing_failures tables; payment.service.js
  and pairing-failure.service.js (new); rewritten pairing.service.js
  (payment-gated blast + targeted "Curhat lagi" + cancel + fallback);
  rewritten extension.service.js (data-driven auto-approve with offline
  safeguard, charge-at-approval); pricing.service.js (extension tiers
  without free trial); mitra-status.service.js (countAvailableMitras
  cached path); 60s sweeper for stale payment sessions
- Backend routes: client.payment.routes, client.mitra-availability.routes,
  internal/failed-pairings.routes; client.chat.routes rewritten for
  payment-gated start + /returning + /cancel + /fallback-to-blast;
  internal/config.routes adds 4 new keys with Valkey invalidate publish
- client_app: mitra-availability poll, payment screen + notifier, pairing
  notifier rewrite (PairingTargetedWaiting + PairingFailed states),
  targeted-waiting overlay + bestie-unavailable dialog, "Curhat lagi"
  CTA, failed-pairing terminal, extension via payment-session
- mitra_app: PairingRequestType enum, returning-chat 20s countdown
  auto-dismiss, extension card "otomatis disetujui" copy
- control_center: 4 new config rows in Settings, Failed Pairings page
  (filter + paginate + action menu), sidebar + route registered
- Test infrastructure: Vitest backend (7/7 pass), Playwright CC (4/4
  pass), Maestro mobile scaffold (CLI install pending)
- Bugs found via Playwright + fixed: LoginPage labels not associated
  with inputs (a11y); backend internal CORS missing PATCH/PUT/DELETE
  in allow-methods (silent settings breakage in browsers since Stage 4)
- Docs: phase3.7.md PRD, phase3.7-plan.md, phase3.7-questions.md (Q&A),
  phase3.7-testing.md (E2E checklist), phase3.7-test-run-2026-05-03.md
  (today's run results)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/helpers/db.js

@@ -0,0 +1,81 @@
+import { getDb } from '../../src/db/client.js'
+
+/**
+ * Single shared sql client used by tests. Same singleton the services use, since
+ * setup.js has already rewritten DATABASE_URL to point at the test schema.
+ */
+export const db = () => getDb()
+
+/**
+ * Truncate Phase 3.7-relevant tables between tests.
+ *
+ * Order matters: pairing_failures FK → payment_sessions; chat_request_notifications
+ * FK → chat_sessions; customer_transactions FK → chat_sessions; etc. Use CASCADE so
+ * we don't have to maintain the topological order when tables get added.
+ *
+ * We deliberately do NOT truncate roles / control_center_users / mitras / customers
+ * — those are seeded once per test file by fixtures and re-truncating them would
+ * force every test to re-create users (slow + noisy).
+ */
+const TRUNCATE_TABLES = [
+  'pairing_failures',
+  'payment_sessions',
+  'chat_request_notifications',
+  'session_extensions',
+  'session_closures',
+  'session_sensitivity_log',
+  'chat_messages',
+  'customer_transactions',
+  'chat_sessions',
+  'auth_sessions',
+  'otp_requests',
+  'mitra_online_logs',
+  'mitra_online_status',
+]
+
+export const resetDb = async () => {
+  const sql = db()
+  // RESTART IDENTITY is a no-op for UUID PKs but cheap; CASCADE handles any future FK additions.
+  await sql.unsafe(`TRUNCATE TABLE ${TRUNCATE_TABLES.join(', ')} RESTART IDENTITY CASCADE`)
+}
+
+/**
+ * Wipe the slow-changing tables too — call sparingly (a single test that needs to
+ * verify "no users" semantics, or in afterAll teardown).
+ */
+export const resetDbHard = async () => {
+  const sql = db()
+  await sql.unsafe(
+    `TRUNCATE TABLE ${TRUNCATE_TABLES.join(', ')}, mitras, customers, control_center_users, roles RESTART IDENTITY CASCADE`
+  )
+}
+
+/**
+ * Drop and re-seed the configurable app_config rows back to their canonical defaults.
+ * Tests that mutate config (e.g. flipping free_trial_enabled) call this in afterEach.
+ */
+export const resetAppConfig = async () => {
+  const sql = db()
+  // Restore the same defaults the migration sets. Using ON CONFLICT … DO UPDATE so a
+  // test-mutated row gets clobbered back, not just left alone.
+  const defaults = [
+    ['anonymity', { enabled: false }],
+    ['max_customers_per_mitra', { value: 3 }],
+    ['free_trial_enabled', { value: true }],
+    ['free_trial_duration_minutes', { value: 5 }],
+    ['extension_timeout_seconds', { value: 60 }],
+    ['early_end_mitra_enabled', { value: false }],
+    ['early_end_customer_enabled', { value: false }],
+    ['payment_session_timeout_minutes', { value: 20 }],
+    ['returning_chat_confirmation_timeout_seconds', { value: 20 }],
+    ['extension_default_action_on_timeout', { value: 'auto_approve' }],
+    ['pairing_blast_timeout_seconds', { value: 60 }],
+  ]
+  for (const [key, value] of defaults) {
+    await sql`
+      INSERT INTO app_config (key, value, updated_at)
+      VALUES (${key}, ${sql.json(value)}, NOW())
+      ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value, updated_at = NOW()
+    `
+  }
+}

backend/test/helpers/fixtures.js

@@ -0,0 +1,64 @@
+import { randomUUID } from 'node:crypto'
+import { db, resetAppConfig } from './db.js'
+
+/**
+ * Insert a customer row. Defaults to the schema after the Phase 3.4 auth rewrite
+ * (display_name nullable, is_anonymous defaults true).
+ */
+export const createCustomer = async ({
+  id = randomUUID(),
+  callName = `TestCust-${id.slice(0, 6)}`,
+  phone = null,
+  isAnonymous = false,
+} = {}) => {
+  const sql = db()
+  const [row] = await sql`
+    INSERT INTO customers (id, display_name, phone, is_anonymous)
+    VALUES (${id}, ${callName}, ${phone}, ${isAnonymous})
+    RETURNING id, display_name, phone, is_anonymous, created_at
+  `
+  return row
+}
+
+/**
+ * Insert a mitra row. If `isOnline` is true, also creates the mitra_online_status row
+ * so pairing.findAvailableMitras includes it.
+ */
+export const createMitra = async ({
+  id = randomUUID(),
+  callName = `TestMitra-${id.slice(0, 6)}`,
+  phone = null,
+  isActive = true,
+  isOnline = false,
+} = {}) => {
+  const sql = db()
+  // mitras.phone is NOT NULL UNIQUE — synthesize a unique phone if not given.
+  const finalPhone = phone || `+62800${Math.floor(Math.random() * 1e10).toString().padStart(10, '0')}`
+  const [row] = await sql`
+    INSERT INTO mitras (id, display_name, phone, is_active)
+    VALUES (${id}, ${callName}, ${finalPhone}, ${isActive})
+    RETURNING id, display_name, phone, is_active, created_at
+  `
+  if (isOnline) {
+    const now = new Date()
+    await sql`
+      INSERT INTO mitra_online_status (mitra_id, is_online, last_online_at, last_heartbeat_at, updated_at)
+      VALUES (${id}, true, ${now}, ${now}, ${now})
+      ON CONFLICT (mitra_id) DO UPDATE
+        SET is_online = true, last_online_at = ${now}, last_heartbeat_at = ${now}, updated_at = ${now}
+    `
+  }
+  return row
+}
+
+/**
+ * Reset app_config rows to their canonical defaults. Tests that mutate config call
+ * this in afterEach (or rely on the global beforeEach in resetAll).
+ */
+export const seedDefaultConfig = () => resetAppConfig()
+
+/**
+ * Convenience: full reset between tests. Truncates Phase 3.7 tables, restores
+ * default config rows.
+ */
+export { resetDb, resetDbHard, resetAppConfig } from './db.js'

backend/test/helpers/jwt.js

@@ -0,0 +1,42 @@
+import jwt from 'jsonwebtoken'
+import { randomUUID } from 'node:crypto'
+import { UserType } from '../../src/constants.js'
+
+/**
+ * Mint a JWT that the production `authenticate` plugin will accept. Mirrors the
+ * payload shape from src/services/token.service.js#signAccessToken.
+ *
+ * We deliberately do NOT call issueTokens (which writes an auth_sessions row) so
+ * tests stay independent of that table. The access-token verification path in
+ * production never reads the DB — it only validates the JWT signature + claims.
+ *
+ * sessionId defaults to a random UUID; pass an explicit one if a test asserts on
+ * the session_id value.
+ */
+const sign = ({ userType, userId, sessionId = randomUUID() }) => {
+  const secret = process.env.AUTH_JWT_SECRET
+  if (!secret || secret.length < 32) {
+    throw new Error('AUTH_JWT_SECRET missing or too short for test JWT minting')
+  }
+  return jwt.sign(
+    { user_type: userType, session_id: sessionId },
+    secret,
+    {
+      algorithm: 'HS256',
+      expiresIn: 3600,
+      subject: userId,
+    },
+  )
+}
+
+export const customerJwt = (userId, opts = {}) =>
+  sign({ userType: UserType.CUSTOMER, userId, ...opts })
+
+export const mitraJwt = (userId, opts = {}) =>
+  sign({ userType: UserType.MITRA, userId, ...opts })
+
+export const ccJwt = (userId, opts = {}) =>
+  sign({ userType: UserType.CC_USER, userId, ...opts })
+
+/** `Authorization: Bearer …` header builder for app.inject calls. */
+export const authHeader = (token) => ({ authorization: `Bearer ${token}` })

backend/test/helpers/server.js

@@ -0,0 +1,25 @@
+/**
+ * Build the public or internal Fastify app for in-process testing.
+ *
+ * Tests use `app.inject({ method, url, headers, payload })` to issue requests —
+ * this skips the HTTP layer entirely (no port binding, no socket overhead) and
+ * returns a typed response object.
+ *
+ * Each test file should call `buildPublic()` / `buildInternal()` in beforeAll and
+ * `await app.close()` in afterAll. Re-using the same app across tests in a file
+ * is fine — the DB state is what's reset between tests.
+ */
+
+export const buildPublic = async () => {
+  const { buildPublicApp } = await import('../../src/app.public.js')
+  const app = await buildPublicApp()
+  await app.ready()
+  return app
+}
+
+export const buildInternal = async () => {
+  const { buildInternalApp } = await import('../../src/app.internal.js')
+  const app = await buildInternalApp()
+  await app.ready()
+  return app
+}

backend/test/helpers/valkey.js

@@ -0,0 +1,27 @@
+import Redis from 'ioredis'
+
+let testClient
+
+/**
+ * Test-scoped Valkey client (separate db number from dev — see .env.test).
+ * Tests can use this directly for keyspace assertions, or just rely on the services
+ * which read VALKEY_URL via the production plugin (now pointing at the test db).
+ */
+export const getTestValkey = () => {
+  if (!testClient) {
+    testClient = new Redis(process.env.TEST_VALKEY_URL || process.env.VALKEY_URL)
+  }
+  return testClient
+}
+
+export const flushTestDb = async () => {
+  const c = getTestValkey()
+  await c.flushdb()
+}
+
+export const closeTestValkey = async () => {
+  if (testClient) {
+    testClient.disconnect()
+    testClient = null
+  }
+}