feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.

app/composables/useHelcim.js

@@ -1,90 +0,0 @@
-// Helcim API integration composable
-export const useHelcim = () => {
-  const config = useRuntimeConfig()
-  const helcimToken = config.public.helcimToken
-
-  // Base URL for Helcim API
-  const HELCIM_API_BASE = 'https://api.helcim.com/v2'
-
-  // Helper function to make API requests
-  const makeHelcimRequest = async (endpoint, method = 'GET', body = null) => {
-    try {
-      const response = await $fetch(`${HELCIM_API_BASE}${endpoint}`, {
-        method,
-        headers: {
-          'accept': 'application/json',
-          'content-type': 'application/json',
-          'api-token': helcimToken
-        },
-        body: body ? JSON.stringify(body) : undefined
-      })
-      return response
-    } catch (error) {
-      console.error('Helcim API error:', error)
-      throw error
-    }
-  }
-
-  // Create a customer
-  const createCustomer = async (customerData) => {
-    return await makeHelcimRequest('/customers', 'POST', {
-      customerType: 'PERSON',
-      contactName: customerData.name,
-      email: customerData.email,
-      billingAddress: customerData.billingAddress || {}
-    })
-  }
-
-  // Create a subscription
-  const createSubscription = async (customerId, planId, cardToken) => {
-    return await makeHelcimRequest('/recurring/subscriptions', 'POST', {
-      customerId,
-      planId,
-      cardToken,
-      startDate: new Date().toISOString().split('T')[0] // Today's date
-    })
-  }
-
-  // Get customer details
-  const getCustomer = async (customerId) => {
-    return await makeHelcimRequest(`/customers/${customerId}`)
-  }
-
-  // Get subscription details
-  const getSubscription = async (subscriptionId) => {
-    return await makeHelcimRequest(`/recurring/subscriptions/${subscriptionId}`)
-  }
-
-  // Update subscription
-  const updateSubscription = async (subscriptionId, updates) => {
-    return await makeHelcimRequest(`/recurring/subscriptions/${subscriptionId}`, 'PATCH', updates)
-  }
-
-  // Cancel subscription
-  const cancelSubscription = async (subscriptionId) => {
-    return await makeHelcimRequest(`/recurring/subscriptions/${subscriptionId}`, 'DELETE')
-  }
-
-  // Get payment plans
-  const getPaymentPlans = async () => {
-    return await makeHelcimRequest('/recurring/plans')
-  }
-
-  // Verify card token (for testing)
-  const verifyCardToken = async (cardToken) => {
-    return await makeHelcimRequest('/cards/verify', 'POST', {
-      cardToken
-    })
-  }
-
-  return {
-    createCustomer,
-    createSubscription,
-    getCustomer,
-    getSubscription,
-    updateSubscription,
-    cancelSubscription,
-    getPaymentPlans,
-    verifyCardToken
-  }
-}

app/composables/useHelcimPay.js

@@ -3,7 +3,7 @@ export const useHelcimPay = () => {
   let checkoutToken = null;
   let secretToken = null;
 
-  // Initialize HelcimPay.js session
+  // Initialize HelcimPay.js session (membership signup flow)
   const initializeHelcimPay = async (customerId, customerCode, amount = 0) => {
     try {
       const response = await $fetch("/api/helcim/initialize-payment", {
@@ -12,6 +12,10 @@ export const useHelcimPay = () => {
           customerId,
           customerCode,
           amount,
+          // Marks this as a paid-tier signup so the server accepts the
+          // payment-bridge cookie set by /api/helcim/customer (the user
+          // hasn't clicked their email-verify magic link yet).
+          metadata: { type: "membership_signup" },
         },
       });
 
@@ -57,6 +61,7 @@ export const useHelcimPay = () => {
         return {
           success: true,
           checkoutToken: response.checkoutToken,
+          amount: response.amount,
         };
       }
 
@@ -67,6 +72,44 @@ export const useHelcimPay = () => {
     }
   };
 
+  // Initialize payment for series pass purchase
+  const initializeSeriesTicketPayment = async (
+    seriesId,
+    email,
+    seriesTitle = null,
+  ) => {
+    try {
+      const response = await $fetch("/api/helcim/initialize-payment", {
+        method: "POST",
+        body: {
+          customerId: null,
+          customerCode: email,
+          metadata: {
+            type: "series_ticket",
+            seriesId,
+            email,
+            eventTitle: seriesTitle,
+          },
+        },
+      });
+
+      if (response.success) {
+        checkoutToken = response.checkoutToken;
+        secretToken = response.secretToken;
+        return {
+          success: true,
+          checkoutToken: response.checkoutToken,
+          amount: response.amount,
+        };
+      }
+
+      throw new Error("Failed to initialize series payment session");
+    } catch (error) {
+      console.error("Series payment initialization error:", error);
+      throw error;
+    }
+  };
+
   // Show payment modal
   const showPaymentModal = () => {
     return new Promise((resolve, reject) => {
@@ -272,6 +315,7 @@ export const useHelcimPay = () => {
   return {
     initializeHelcimPay,
     initializeTicketPayment,
+    initializeSeriesTicketPayment,
     verifyPayment,
     cleanup,
   };