halobestie-clone

Author	SHA1	Message	Date
Ramadhan Sjamsani	2c95fd040d	Phase 5.x payment revamp + Xendit Stage-8 prep - Backend wraps idn-finlogos npm at /assets/payment-icons/<slug>.svg with 1y immutable cache. Mobile drops bundled SVGs (only placeholder remains) and fetches via flutter_cache_manager. payment_methods.icon is now a CSV of slugs; catalog emits icon_urls[]. CARDS tile renders Visa + MC + JCB side by side. - Per-method min/max amount bounds (BIGINT, nullable). Picker greys out out-of-range tiles with subtitle; backend gates with INVALID_PAYMENT_AMOUNT (422). Defense in depth against stale-catalog clients. - Xendit channel codes corrected from authoritative docs (BCA_VA -> BCA_VIRTUAL_ACCOUNT, CREDIT_CARD -> CARDS, ovo -> ovo-new, shopeepay -> shopee-pay, ...). 18 methods x 5 groups seeded with Xendit-published per-channel min/max. - Re-runnable seed (ON CONFLICT DO NOTHING on payment_code + new unique index on group name). Operator CC edits never clobbered across re-runs. One-shot reset + inspect scripts under backend/.dev/. - Customer redirect HTML pages at /payment/return/{success,failure}, brand-styled with "Buka HaloBestie" CTA firing halobestie:// deeplink. URL scheme registered on Android (intent-filter w/ BROWSABLE on MainActivity) and iOS (CFBundleURLTypes). Waiting-payment poller still owns confirmation; deeplink just brings the activity to foreground. - Control center payment-catalog page: min/max inputs + columns. Other CC pages restyled with new theme tokens (separate work, bundled here). 169/169 backend tests pass. See requirement/phase5-payment-revamp-2026-05-27.md for the full revamp doc. Stage 8 (E2E) still pending: webhook URL routing decision + two client_app follow-ups (legacy /chat/request removal, extension Custom Tab). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 21:33:51 +08:00
ramadhan sjamsani	d09e50af55	Phase 3.7: paid pairing flow + returning chat + extension flip - Backend: payment_sessions + pairing_failures tables; payment.service.js and pairing-failure.service.js (new); rewritten pairing.service.js (payment-gated blast + targeted "Curhat lagi" + cancel + fallback); rewritten extension.service.js (data-driven auto-approve with offline safeguard, charge-at-approval); pricing.service.js (extension tiers without free trial); mitra-status.service.js (countAvailableMitras cached path); 60s sweeper for stale payment sessions - Backend routes: client.payment.routes, client.mitra-availability.routes, internal/failed-pairings.routes; client.chat.routes rewritten for payment-gated start + /returning + /cancel + /fallback-to-blast; internal/config.routes adds 4 new keys with Valkey invalidate publish - client_app: mitra-availability poll, payment screen + notifier, pairing notifier rewrite (PairingTargetedWaiting + PairingFailed states), targeted-waiting overlay + bestie-unavailable dialog, "Curhat lagi" CTA, failed-pairing terminal, extension via payment-session - mitra_app: PairingRequestType enum, returning-chat 20s countdown auto-dismiss, extension card "otomatis disetujui" copy - control_center: 4 new config rows in Settings, Failed Pairings page (filter + paginate + action menu), sidebar + route registered - Test infrastructure: Vitest backend (7/7 pass), Playwright CC (4/4 pass), Maestro mobile scaffold (CLI install pending) - Bugs found via Playwright + fixed: LoginPage labels not associated with inputs (a11y); backend internal CORS missing PATCH/PUT/DELETE in allow-methods (silent settings breakage in browsers since Stage 4) - Docs: phase3.7.md PRD, phase3.7-plan.md, phase3.7-questions.md (Q&A), phase3.7-testing.md (E2E checklist), phase3.7-test-run-2026-05-03.md (today's run results) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 23:02:49 +08:00
ramadhan sjamsani	4a796277b8	Phase 3.4: control_center self-managed auth cutover Replaces Firebase Auth with the new JWT + httpOnly-cookie refresh flow. Smoke-tested end-to-end via curl (login → /me → refresh rotation → logout). - Remove firebase dep + firebase.js - New token-bridge decouples api-client from AuthContext and de-dupes concurrent 401 refreshes - AuthContext: in-memory access token (useRef), bootstrap via /internal/auth/refresh, login/logout/refresh methods - api-client: withCredentials, Bearer attach, auto-retry once on 401 - LoginPage: handle INVALID_CREDENTIALS / ACCOUNT_LOCKED / VALIDATION_ERROR - Layout: self-service "Ganti password" form - UsersPage: initial password field on create + per-row admin-forced reset - .env / .env.example: drop VITE_FIREBASE_* vars - backend/CLAUDE.md + control_center/CLAUDE.md: describe new auth (were stale on Firebase) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 15:32:32 +08:00
ramadhan sjamsani	50d31260dc	Fix auth errors, CORS, control center login, and stale session handling - Mitra auth: parse DioException response for proper error messages (ACCOUNT_NOT_FOUND, ACCOUNT_INACTIVE) instead of generic "OTP invalid" - Backend: add CORS to internal app (port 3001) for control center - Control center: fix login race condition (wait for AuthContext verify before navigating), fix MitraActivityPage fetching paginated data - Stale session goodbye: both apps detect SESSION_NOT_ACTIVE/409 and move to complete state instead of retrying endlessly Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-15 20:49:57 +08:00
ramadhan sjamsani	a7a2a32d27	Phase 1 scaffold: auth for all apps - Backend: Fastify with two listeners (public + internal), routes, services, DB migration + seed - client_app: Flutter with BLoC, all auth screens (welcome, display name, register, OTP, force-register) - mitra_app: Flutter with BLoC, OTP-only login - control_center: React + Vite, email/password login, mitra/user management, anonymity settings - Docs: phase1 plan, API contract, client app mockup - CLAUDE.md and shared memory for all subprojects Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 10:08:42 +08:00

5 Commits