feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.

server/utils/auth.js

@@ -22,6 +22,59 @@ export function setAuthCookie(event, member) {
   })
 }
 
+/**
+ * Issue a 30-minute payment-bridge cookie scoped to membership-signup checkout.
+ *
+ * The signup flow (POST /api/helcim/customer) defers the full session cookie
+ * to email-verify (magic link). For paid tiers the user still needs to complete
+ * Helcim checkout in the same browser tab — this short-lived, payment-only
+ * token lets `/api/helcim/initialize-payment` accept the call without a full
+ * session. The cookie is NOT honored by requireAuth and grants nothing else.
+ */
+export function setPaymentBridgeCookie(event, member) {
+  const token = jwt.sign(
+    {
+      memberId: member._id.toString(),
+      email: member.email,
+      scope: 'payment_bridge'
+    },
+    useRuntimeConfig(event).jwtSecret,
+    { expiresIn: '30m' }
+  )
+
+  setCookie(event, 'payment-bridge', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 30
+  })
+}
+
+/**
+ * Verify a payment-bridge cookie and return the associated Member, or null.
+ * Used by /api/helcim/initialize-payment to allow the membership-signup
+ * checkout to proceed before email verification.
+ */
+export async function getPaymentBridgeMember(event) {
+  const token = getCookie(event, 'payment-bridge')
+  if (!token) return null
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig(event).jwtSecret)
+  } catch {
+    return null
+  }
+
+  if (decoded.scope !== 'payment_bridge') return null
+
+  await connectDB()
+  const member = await Member.findById(decoded.memberId)
+  if (!member) return null
+  return member
+}
+
 /**
  * Verify JWT from cookie and return the decoded member.
  * Throws 401 if token is missing or invalid.

server/utils/helcim.js

@@ -262,15 +262,3 @@ export function generateIdempotencyKey() {
   }
   return key
 }
-
-/**
- * Legacy stub — kept alive ONLY so `server/api/events/[id]/payment.post.js`
- * still imports cleanly. The direct purchase API was never implemented.
- * Always returns `{ success: false }`; callers surface the message to the user.
- */
-export async function processHelcimPayment(_paymentData) {
-  return {
-    success: false,
-    message: 'Direct purchase API not implemented; use HelcimPay.js flow'
-  }
-}

server/utils/magicLink.js

@@ -0,0 +1,66 @@
+// Send a magic-link verification email. Mirrors the token/email logic in
+// server/api/auth/login.post.js so callers (signup, login, etc.) can request
+// a verification link with their own subject/intro copy.
+import jwt from 'jsonwebtoken'
+import { randomUUID } from 'crypto'
+import { Resend } from 'resend'
+import Member from '../models/member.js'
+
+const resend = new Resend(process.env.RESEND_API_KEY)
+
+/**
+ * Issue a 15-minute magic-link JWT for `email` and email it.
+ *
+ * @param {string} email
+ * @param {object} [options]
+ * @param {string} [options.subject] - Email subject (default: "Your Ghost Guild login link")
+ * @param {string} [options.intro]   - Optional one-line intro before the link.
+ * @returns {Promise<{ sent: boolean }>} - sent=false when no member exists for the email
+ *   (caller can decide whether to surface that; the auth/login endpoint hides it for
+ *   anti-enumeration, signup knows the member was just created).
+ */
+export async function sendMagicLink(email, options = {}) {
+  const baseUrl = process.env.BASE_URL
+  if (!baseUrl) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'BASE_URL environment variable is not set'
+    })
+  }
+
+  const member = await Member.findOne({ email })
+  if (!member) return { sent: false }
+
+  const jti = randomUUID()
+  const token = jwt.sign(
+    { memberId: member._id, jti },
+    useRuntimeConfig().jwtSecret,
+    { expiresIn: '15m' }
+  )
+
+  await Member.findByIdAndUpdate(
+    member._id,
+    { $set: { magicLinkJti: jti, magicLinkJtiUsed: false } },
+    { runValidators: false }
+  )
+
+  const magicLink = `${baseUrl}/verify#${token}`
+  const subject = options.subject || 'Your Ghost Guild login link'
+  const intro = options.intro || 'Sign in to Ghost Guild:'
+  const text = `Hi,\n\n${intro}\n${magicLink}\n\nThis link expires in 15 minutes. If you didn't request it, ignore this email.`
+
+  await resend.emails.send({
+    from: 'Ghost Guild <ghostguild@babyghosts.org>',
+    to: email,
+    subject,
+    text
+  })
+
+  logActivity(member._id, 'email_sent', {
+    emailType: 'magic_link',
+    subject,
+    body: text
+  })
+
+  return { sent: true }
+}

server/utils/rateLimit.js

@@ -0,0 +1,18 @@
+// Tiny in-memory sliding-window rate limiter.
+// Acceptable for single-instance Nitro on Netlify; swap to Mongo/Upstash if
+// we move to multi-instance.
+const buckets = new Map()
+
+export function rateLimit(key, { max, windowMs }) {
+  const now = Date.now()
+  const arr = (buckets.get(key) || []).filter((t) => now - t < windowMs)
+  if (arr.length >= max) return false
+  arr.push(now)
+  buckets.set(key, arr)
+  return true
+}
+
+// Test helper — clears all buckets so each test starts clean.
+export function resetRateLimit() {
+  buckets.clear()
+}

server/utils/schemas.js

@@ -5,6 +5,10 @@ export const emailSchema = z.object({
   email: z.string().trim().toLowerCase().email()
 })
 
+export const verifyMagicLinkSchema = z.object({
+  token: z.string().min(1).max(2000)
+}).strict()
+
 export const memberCreateSchema = z.object({
   email: z.string().trim().toLowerCase().email(),
   name: z.string().min(1).max(200),
@@ -62,12 +66,16 @@ export const helcimCustomerSchema = z.object({
 })
 
 export const helcimInitializePaymentSchema = z.object({
+  // amount is accepted but IGNORED for ticket types (server re-derives).
+  // Kept for verify-mode (subscription card-on-file) where 0 is sent.
   amount: z.number().min(0).optional(),
   customerCode: z.string().max(200).optional(),
   metadata: z.object({
-    type: z.string().max(100).optional(),
+    type: z.enum(['event_ticket', 'series_ticket', 'subscription', 'card_verify', 'membership_signup']).optional(),
     eventTitle: z.string().max(500).optional(),
-    eventId: z.string().max(200).optional()
+    eventId: z.string().max(200).optional(),
+    seriesId: z.string().max(200).optional(),
+    email: z.string().trim().toLowerCase().email().optional()
   }).optional()
 })
 
@@ -131,12 +139,6 @@ export const checkRegistrationSchema = z.object({
   email: z.string().trim().toLowerCase().email()
 })
 
-export const eventPaymentSchema = z.object({
-  name: z.string().min(1).max(200),
-  email: z.string().trim().toLowerCase().email(),
-  paymentToken: z.string().min(1).max(500)
-})
-
 // --- Member schemas ---
 
 export const updateContributionSchema = z.object({