Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.

app/composables/useMarkdown.js

@@ -1,12 +1,29 @@
 import { marked } from 'marked'
+import DOMPurify from 'isomorphic-dompurify'
+
+const ALLOWED_TAGS = [
+  'a', 'strong', 'em', 'b', 'i', 'u',
+  'ul', 'ol', 'li', 'p', 'br',
+  'code', 'pre', 'blockquote',
+  'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+  'hr', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
+  'del', 'sup', 'sub'
+]
+
+const ALLOWED_ATTR = ['href', 'target', 'rel', 'class']
 
 export const useMarkdown = () => {
   const render = (markdown) => {
     if (!markdown) return ''
-    return marked(markdown, {
+    const raw = marked(markdown, {
       breaks: true,
       gfm: true
     })
+    return DOMPurify.sanitize(raw, {
+      ALLOWED_TAGS,
+      ALLOWED_ATTR,
+      ALLOW_DATA_ATTR: false
+    })
   }
 
   return {