fix: replace member.save() in invite.post.js and remove stale NUXT_PUBLIC_HELCIM_TOKEN env check

server/api/admin/members/invite.post.js

@@ -49,9 +49,7 @@ export default defineEventHandler(async (event) => {
         { expiresIn: '48h' },
       )
 
-      // Store jti for single-use enforcement in verify.post.js
-      member.magicLinkJti = jti
-      member.magicLinkJtiUsed = false
+      // Store jti for single-use enforcement in verify.post.js (set after email succeeds below)
 
       // Token in fragment — never hits server logs
       const loginLink = `${baseUrl}/verify#${token}`
@@ -87,11 +85,20 @@ export default defineEventHandler(async (event) => {
         continue
       }
 
-      // Mark member as active and record invite sent
-      member.status = 'active'
-      member.inviteEmailSent = true
-      member.inviteEmailSentAt = new Date()
-      await member.save()
+      // Mark member as active, record invite sent, store jti for single-use enforcement
+      await Member.findByIdAndUpdate(
+        member._id,
+        {
+          $set: {
+            magicLinkJti: jti,
+            magicLinkJtiUsed: false,
+            status: 'active',
+            inviteEmailSent: true,
+            inviteEmailSentAt: new Date(),
+          },
+        },
+        { runValidators: false }
+      )
 
       results.push({ memberId: member._id, email: member.email, success: true })
     } catch (err) {