Phase 3.7: paid pairing flow + returning chat + extension flip

- Backend: payment_sessions + pairing_failures tables; payment.service.js
  and pairing-failure.service.js (new); rewritten pairing.service.js
  (payment-gated blast + targeted "Curhat lagi" + cancel + fallback);
  rewritten extension.service.js (data-driven auto-approve with offline
  safeguard, charge-at-approval); pricing.service.js (extension tiers
  without free trial); mitra-status.service.js (countAvailableMitras
  cached path); 60s sweeper for stale payment sessions
- Backend routes: client.payment.routes, client.mitra-availability.routes,
  internal/failed-pairings.routes; client.chat.routes rewritten for
  payment-gated start + /returning + /cancel + /fallback-to-blast;
  internal/config.routes adds 4 new keys with Valkey invalidate publish
- client_app: mitra-availability poll, payment screen + notifier, pairing
  notifier rewrite (PairingTargetedWaiting + PairingFailed states),
  targeted-waiting overlay + bestie-unavailable dialog, "Curhat lagi"
  CTA, failed-pairing terminal, extension via payment-session
- mitra_app: PairingRequestType enum, returning-chat 20s countdown
  auto-dismiss, extension card "otomatis disetujui" copy
- control_center: 4 new config rows in Settings, Failed Pairings page
  (filter + paginate + action menu), sidebar + route registered
- Test infrastructure: Vitest backend (7/7 pass), Playwright CC (4/4
  pass), Maestro mobile scaffold (CLI install pending)
- Bugs found via Playwright + fixed: LoginPage labels not associated
  with inputs (a11y); backend internal CORS missing PATCH/PUT/DELETE
  in allow-methods (silent settings breakage in browsers since Stage 4)
- Docs: phase3.7.md PRD, phase3.7-plan.md, phase3.7-questions.md (Q&A),
  phase3.7-testing.md (E2E checklist), phase3.7-test-run-2026-05-03.md
  (today's run results)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

control_center/tests/e2e/helpers/auth.js

@@ -0,0 +1,52 @@
+/**
+ * Auth helper for Playwright e2e tests.
+ *
+ * Logs in via the actual UI (rather than minting a JWT directly) for two
+ * reasons:
+ *   1. The CC keeps the access token in memory + uses an httpOnly refresh
+ *      cookie. The cleanest way to exercise that flow is the real form.
+ *   2. It tests the login page implicitly — if the form breaks, every
+ *      downstream test fails fast and obviously.
+ *
+ * If/when login becomes the bottleneck, swap this for a fixture that calls
+ * `POST /internal/auth/login` once per worker and replays the cookie via
+ * `context.addCookies(...)`.
+ */
+
+import { expect } from '@playwright/test'
+
+const TEST_EMAIL = process.env.CC_TEST_EMAIL || 'test-operator@example.com'
+const TEST_PASSWORD = process.env.CC_TEST_PASSWORD || 'changeme'
+
+/**
+ * Navigates to /login, fills the form, submits, and waits for the post-login
+ * redirect (defaults to /dashboard via App.jsx Navigate).
+ *
+ * @param {import('@playwright/test').Page} page
+ * @param {{ email?: string, password?: string }} [overrides]
+ */
+export async function loginAsOperator(page, overrides = {}) {
+  const email = overrides.email ?? TEST_EMAIL
+  const password = overrides.password ?? TEST_PASSWORD
+
+  await page.goto('/login')
+  await page.getByLabel('Email').fill(email)
+  await page.getByLabel('Password').fill(password)
+  await page.getByRole('button', { name: /Masuk/i }).click()
+
+  // App.jsx redirects authenticated users from `/` to `/dashboard`.
+  // Wait for the URL to leave /login as the success signal.
+  await page.waitForURL((url) => !url.pathname.startsWith('/login'), {
+    timeout: 10_000,
+  })
+}
+
+/**
+ * Convenience: assert the current page is a logged-in CC page (i.e. NOT
+ * /login). Useful as a sanity-check at the top of a test.
+ *
+ * @param {import('@playwright/test').Page} page
+ */
+export async function expectLoggedIn(page) {
+  await expect(page).not.toHaveURL(/\/login/)
+}