feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.

server/api/events/[id]/payment.post.js

@@ -1,128 +0,0 @@
-import Event from '../../../models/event.js'
-import Member from '../../../models/member.js'
-import { connectDB } from '../../../utils/mongoose.js'
-import { processHelcimPayment } from '../../../utils/helcim.js'
-import mongoose from 'mongoose'
-
-export default defineEventHandler(async (event) => {
-  try {
-    await connectDB()
-    const identifier = getRouterParam(event, 'id')
-    const body = await validateBody(event, eventPaymentSchema)
-
-    if (!identifier) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Event identifier is required'
-      })
-    }
-    
-    // Fetch the event
-    let eventData
-    if (mongoose.Types.ObjectId.isValid(identifier)) {
-      eventData = await Event.findById(identifier)
-    }
-    if (!eventData) {
-      eventData = await Event.findOne({ slug: identifier })
-    }
-    
-    if (!eventData) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: 'Event not found'
-      })
-    }
-    
-    // Check if event requires payment
-    if (eventData.pricing.isFree || !eventData.pricing.paymentRequired) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'This event does not require payment'
-      })
-    }
-    
-    // Check if user is already registered
-    const existingRegistration = eventData.registrations.find(
-      reg => reg.email.toLowerCase() === body.email.toLowerCase()
-    )
-    
-    if (existingRegistration) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'You are already registered for this event'
-      })
-    }
-    
-    // Check if user is a member (members get free access)
-    const member = await Member.findOne({ email: body.email.toLowerCase() })
-    
-    if (member) {
-      // Members get free access - register directly without payment
-      eventData.registrations.push({
-        name: body.name,
-        email: body.email.toLowerCase(),
-        membershipLevel: `${member.circle}-${member.contributionAmount}`,
-        isMember: true,
-        paymentStatus: 'not_required',
-        amountPaid: 0
-      })
-      
-      await eventData.save()
-      
-      return {
-        success: true,
-        message: 'Successfully registered as a member (no payment required)',
-        registration: eventData.registrations[eventData.registrations.length - 1]
-      }
-    }
-    
-    // Process payment for non-members
-    const paymentResult = await processHelcimPayment({
-      amount: eventData.pricing.publicPrice,
-      paymentToken: body.paymentToken,
-      customerData: {
-        name: body.name,
-        email: body.email
-      }
-    })
-    
-    if (!paymentResult.success) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: paymentResult.message || 'Payment failed'
-      })
-    }
-    
-    // Add registration with successful payment
-    eventData.registrations.push({
-      name: body.name,
-      email: body.email.toLowerCase(),
-      membershipLevel: 'non-member',
-      isMember: false,
-      paymentStatus: 'completed',
-      paymentId: paymentResult.transactionId,
-      amountPaid: eventData.pricing.publicPrice
-    })
-    
-    await eventData.save()
-    
-    return {
-      success: true,
-      message: 'Payment successful and registered for event',
-      paymentId: paymentResult.transactionId,
-      registration: eventData.registrations[eventData.registrations.length - 1]
-    }
-    
-  } catch (error) {
-    console.error('Error processing event payment:', error)
-    
-    if (error.statusCode) {
-      throw error
-    }
-    
-    throw createError({
-      statusCode: 500,
-      statusMessage: 'Failed to process payment and registration'
-    })
-  }
-})

server/api/events/[id]/waitlist.delete.js

@@ -32,7 +32,8 @@ export default defineEventHandler(async (event) => {
     }
 
     eventData.tickets.waitlist.entries.splice(waitlistIndex, 1);
-    await eventData.save();
+    // Skip validators to avoid tripping on legacy location data unrelated to this write.
+    await eventData.save({ validateBeforeSave: false });
 
     return {
       success: true,

server/api/events/[id]/waitlist.post.js

@@ -87,7 +87,8 @@ export default defineEventHandler(async (event) => {
       notified: false,
     });
 
-    await eventData.save();
+    // Skip validators to avoid tripping on legacy location data unrelated to this write.
+    await eventData.save({ validateBeforeSave: false });
 
     // Get position in waitlist
     const position = eventData.tickets.waitlist.entries.length;