Phase 3.7: paid pairing flow + returning chat + extension flip

- Backend: payment_sessions + pairing_failures tables; payment.service.js
  and pairing-failure.service.js (new); rewritten pairing.service.js
  (payment-gated blast + targeted "Curhat lagi" + cancel + fallback);
  rewritten extension.service.js (data-driven auto-approve with offline
  safeguard, charge-at-approval); pricing.service.js (extension tiers
  without free trial); mitra-status.service.js (countAvailableMitras
  cached path); 60s sweeper for stale payment sessions
- Backend routes: client.payment.routes, client.mitra-availability.routes,
  internal/failed-pairings.routes; client.chat.routes rewritten for
  payment-gated start + /returning + /cancel + /fallback-to-blast;
  internal/config.routes adds 4 new keys with Valkey invalidate publish
- client_app: mitra-availability poll, payment screen + notifier, pairing
  notifier rewrite (PairingTargetedWaiting + PairingFailed states),
  targeted-waiting overlay + bestie-unavailable dialog, "Curhat lagi"
  CTA, failed-pairing terminal, extension via payment-session
- mitra_app: PairingRequestType enum, returning-chat 20s countdown
  auto-dismiss, extension card "otomatis disetujui" copy
- control_center: 4 new config rows in Settings, Failed Pairings page
  (filter + paginate + action menu), sidebar + route registered
- Test infrastructure: Vitest backend (7/7 pass), Playwright CC (4/4
  pass), Maestro mobile scaffold (CLI install pending)
- Bugs found via Playwright + fixed: LoginPage labels not associated
  with inputs (a11y); backend internal CORS missing PATCH/PUT/DELETE
  in allow-methods (silent settings breakage in browsers since Stage 4)
- Docs: phase3.7.md PRD, phase3.7-plan.md, phase3.7-questions.md (Q&A),
  phase3.7-testing.md (E2E checklist), phase3.7-test-run-2026-05-03.md
  (today's run results)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/services/pairing.service.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach, afterAll, vi } from 'vitest'
+
+/**
+ * The pairing service fans out via the websocket plugin (`sendToUser`) and FCM
+ * (`sendPushNotification`). We mock both so tests assert on intent (which event
+ * was sent to which user) without needing a real WS client or FCM credentials.
+ *
+ * Mocks must be declared at the top level so vi.mock hoists them above the
+ * service imports.
+ */
+vi.mock('../../src/plugins/websocket.js', () => ({
+  // Default: pretend the user is not connected so the service falls back to FCM —
+  // matches the "customer is in the app but socket isn't open" path.
+  sendToUser: vi.fn(() => false),
+  sendToSessionParticipant: vi.fn(() => false),
+  registerWebSocketPlugin: vi.fn(),
+  registerWebSocketRoute: vi.fn(),
+  isUserOnlineWs: vi.fn(() => false),
+  getSessionConnections: vi.fn(() => ({})),
+}))
+
+vi.mock('../../src/services/notification.service.js', () => ({
+  sendPushNotification: vi.fn(async () => true),
+  registerDeviceToken: vi.fn(async () => {}),
+}))
+
+// Imports BELOW the mocks (vi.mock is hoisted, but keeping the order explicit aids
+// readability and matches Vitest docs).
+const { sendToUser } = await import('../../src/plugins/websocket.js')
+const {
+  createPairingRequest,
+  declinePairingRequest,
+  cancelPairingRequest,
+} = await import('../../src/services/pairing.service.js')
+const { createPaymentSession, confirmPaymentSession } = await import('../../src/services/payment.service.js')
+const {
+  WsMessage,
+  PairingFailureCause,
+  PaymentSessionStatus,
+  SessionStatus,
+} = await import('../../src/constants.js')
+const { db, resetDb, resetAppConfig } = await import('../helpers/db.js')
+const { createCustomer, createMitra } = await import('../helpers/fixtures.js')
+
+describe('pairing.service', () => {
+  let customer
+  let mitra
+
+  beforeAll(async () => {
+    await resetAppConfig()
+  })
+
+  beforeEach(async () => {
+    await resetDb()
+    sendToUser.mockClear()
+    customer = await createCustomer({ callName: 'Alice' })
+    mitra = await createMitra({ callName: 'MitraOne', isOnline: true })
+  })
+
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('single-recipient general blast → mitra declines → terminates with ALL_MITRAS_REJECTED', async () => {
+    // Arrange: confirmed, non-targeted payment session.
+    const pay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 15,
+      amount: 30000,
+    })
+    await confirmPaymentSession(pay.id, customer.id)
+
+    // Act: customer fires the general blast — only one mitra is online.
+    const session = await createPairingRequest(customer.id, {
+      paymentSessionId: pay.id,
+    })
+    expect(session.status).toBe(SessionStatus.PENDING_ACCEPTANCE)
+
+    // The single recipient declines. With the /simplify fix this is correctly
+    // classified as a general-blast all-rejected, NOT a targeted reject.
+    await declinePairingRequest(session.id, mitra.id)
+
+    // Assert: pairing_failures row carries ALL_MITRAS_REJECTED, not TARGETED_*.
+    const sql = db()
+    const failures = await sql`
+      SELECT cause_tag FROM pairing_failures WHERE payment_session_id = ${pay.id}
+    `
+    expect(failures).toHaveLength(1)
+    expect(failures[0].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
+
+    // Payment session is terminal (failed_pairing) — terminal failures consume the payment.
+    const [paySession] = await sql`SELECT status FROM payment_sessions WHERE id = ${pay.id}`
+    expect(paySession.status).toBe(PaymentSessionStatus.FAILED_PAIRING)
+
+    // Customer was notified with PAIRING_FAILED carrying the same cause tag.
+    const pairingFailedCalls = sendToUser.mock.calls.filter(
+      ([, , data]) => data?.type === WsMessage.PAIRING_FAILED,
+    )
+    expect(pairingFailedCalls).toHaveLength(1)
+    expect(pairingFailedCalls[0][2].cause_tag).toBe(PairingFailureCause.ALL_MITRAS_REJECTED)
+  })
+
+  it('cancelPairingRequest does NOT push PAIRING_FAILED to the customer', async () => {
+    // Arrange: a confirmed payment + an in-flight pairing request the customer is about to cancel.
+    const pay = await createPaymentSession({
+      customerId: customer.id,
+      durationMinutes: 15,
+      amount: 30000,
+    })
+    await confirmPaymentSession(pay.id, customer.id)
+    const session = await createPairingRequest(customer.id, {
+      paymentSessionId: pay.id,
+    })
+
+    // Act: customer cancels.
+    await cancelPairingRequest(session.id, customer.id)
+
+    // Assert: the customer must NOT receive a PAIRING_FAILED event for their own cancel.
+    // Mitras still get CHAT_REQUEST_CLOSED (that's the dismiss event) — we only assert on
+    // the customer-targeted events.
+    const customerEvents = sendToUser.mock.calls.filter(
+      // sendToUser signature: (userType, userId, data)
+      ([userType, userId]) => userId === customer.id,
+    )
+    const customerEventTypes = customerEvents.map(([, , data]) => data?.type)
+    expect(customerEventTypes).not.toContain(WsMessage.PAIRING_FAILED)
+
+    // Payment session is still terminated (CUSTOMER_CANCELLED) — the failure row exists
+    // for ops accounting, just no real-time push to the customer who initiated the cancel.
+    const sql = db()
+    const failures = await sql`SELECT cause_tag FROM pairing_failures WHERE payment_session_id = ${pay.id}`
+    expect(failures).toHaveLength(1)
+    expect(failures[0].cause_tag).toBe(PairingFailureCause.CUSTOMER_CANCELLED)
+  })
+})