From 29c96a207e5337d7175d1a908264a78f98fa8b98 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sun, 1 Mar 2026 12:30:06 +0000
Subject: [PATCH] Add Vitest security test suite and update security evaluation
 doc

Set up Vitest with server (node) and client (jsdom) test projects.
79 tests across 8 files verify all Phase 0-1 security controls:
escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF
enforcement, security headers, rate limiting, auth guards, profile
field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md
with remediation status, implementation summary, and automated test
coverage details.
---
 docs/SECURITY_EVALUATION.md                   |  282 +++++
 package-lock.json                             | 1123 ++++++++++++++++-
 package.json                                  |   11 +-
 tests/client/composables/useMarkdown.test.js  |  110 ++
 tests/server/api/auth-login.test.js           |  113 ++
 .../server/api/members-profile-patch.test.js  |  157 +++
 tests/server/helpers/createMockEvent.js       |   72 ++
 tests/server/middleware/csrf.test.js          |  127 ++
 tests/server/middleware/rate-limit.test.js    |   95 ++
 .../middleware/security-headers.test.js       |  106 ++
 tests/server/setup.js                         |   34 +
 tests/server/utils/auth.test.js               |  142 +++
 tests/server/utils/escapeHtml.test.js         |   60 +
 vitest.config.js                              |   25 +
 14 files changed, 2454 insertions(+), 3 deletions(-)
 create mode 100644 docs/SECURITY_EVALUATION.md
 create mode 100644 tests/client/composables/useMarkdown.test.js
 create mode 100644 tests/server/api/auth-login.test.js
 create mode 100644 tests/server/api/members-profile-patch.test.js
 create mode 100644 tests/server/helpers/createMockEvent.js
 create mode 100644 tests/server/middleware/csrf.test.js
 create mode 100644 tests/server/middleware/rate-limit.test.js
 create mode 100644 tests/server/middleware/security-headers.test.js
 create mode 100644 tests/server/setup.js
 create mode 100644 tests/server/utils/auth.test.js
 create mode 100644 tests/server/utils/escapeHtml.test.js
 create mode 100644 vitest.config.js

diff --git a/docs/SECURITY_EVALUATION.md b/docs/SECURITY_EVALUATION.md
new file mode 100644
index 0000000..b337246
--- /dev/null
+++ b/docs/SECURITY_EVALUATION.md
@@ -0,0 +1,282 @@
+# Ghost Guild Security Evaluation
+
+**Date:** 2026-02-28 (updated 2026-03-01)
+**Framework:** OWASP ASVS v4.0, Level 1
+**Scope:** Full application stack (Nuxt 4 + Nitro server + MongoDB)
+
+---
+
+## Framework Rationale
+
+Ghost Guild handles payments (Helcim), PII, and user-generated content. We evaluated four frameworks before selecting ASVS:
+
+| Framework | Why Not |
+|---|---|
+| PCI-DSS | Too narrow -- only covers payment surface, misses auth/XSS/access control |
+| NIST CSF / ISO 27001 | Organizational frameworks, not application-level |
+| OWASP Top 10 | Too coarse -- categories without testable requirements |
+| **OWASP ASVS L1** | **Selected** -- purpose-built for web apps, testable pass/fail criteria across 14 chapters |
+
+ASVS Level 1 targets "all software" and is achievable for a small team.
+
+---
+
+## Findings
+
+### Severity Summary
+
+| Severity | Count | Key Areas |
+|----------|-------|-----------|
+| CRITICAL | 5 | Admin auth disabled, payment verification stub, XSS (markdown + emails), cookie flags |
+| HIGH | 9 | No rate limiting, no CSRF, JWT secret fallback, unauthenticated endpoints, mass assignment |
+| MEDIUM | 5 | Long-lived tokens, Slack secrets unused, devtools, data logging, regex injection |
+| LOW | 2 | User enumeration, email format validation |
+
+---
+
+### CRITICAL
+
+#### C1. Admin endpoints completely unprotected
+- **ASVS:** V4.1.1 (Trusted enforcement)
+- **Files:** All routes under `server/api/admin/`
+- **Evidence:** Auth code is commented out with `// TODO: Temporarily disabled auth for testing`. Anyone can list all members, create/delete events, and view revenue dashboard. The Member model has no `role` or `isAdmin` field.
+
+#### C2. Payment verification is a stub
+- **ASVS:** V10.2.1 (Business logic integrity)
+- **File:** `server/api/helcim/verify-payment.post.js`
+- **Evidence:** Returns `{ success: true, cardToken: body.cardToken }` without calling the Helcim API.
+
+#### C3. XSS via unsanitized markdown
+- **ASVS:** V5.3.3 (Output encoding for HTML)
+- **Files:** `app/composables/useMarkdown.js`, `app/pages/members.vue:247`
+- **Evidence:** `marked()` output rendered via `v-html` with no DOMPurify.
+
+#### C4. XSS in email templates
+- **ASVS:** V5.2.6 (Server-side injection)
+- **File:** `server/utils/resend.js` (11+ interpolation points)
+- **Evidence:** User-supplied values interpolated directly into HTML email bodies.
+
+#### C5. Session cookie allows JavaScript access
+- **ASVS:** V3.2.1 (Cookie attributes)
+- **File:** `server/api/auth/verify.get.js:40-45`
+- **Evidence:** `httpOnly: false, secure: false`. Session token accessible to any JavaScript.
+
+---
+
+### HIGH
+
+#### H1. No rate limiting on any endpoint
+- **ASVS:** V13.2.5
+- **Evidence:** No rate limiting middleware anywhere. Login, registration, uploads, and payment endpoints are unlimited.
+
+#### H2. No CSRF protection
+- **ASVS:** V3.5.2
+- **Evidence:** No CSRF tokens, double-submit cookies, or CSRF middleware.
+
+#### H3. Hardcoded JWT fallback secret
+- **ASVS:** V6.4.1 (Key management)
+- **File:** `nuxt.config.ts:17`
+- **Evidence:** `jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production'`
+
+#### H4. File upload endpoint unauthenticated
+- **ASVS:** V4.1.3
+- **File:** `server/api/upload/image.post.js`
+- **Evidence:** No auth check. Anyone can upload images.
+
+#### H5. Helcim payment endpoints mostly unauthenticated
+- **ASVS:** V4.1.1
+- **Files:** `verify-payment.post.js`, `initialize-payment.post.js`, `update-billing.post.js`, `subscription.post.js`
+
+#### H6. Mass assignment: helcimCustomerId in allowedFields
+- **ASVS:** V5.1.3
+- **File:** `server/api/members/profile.patch.js:40`
+- **Evidence:** A member can change their own Helcim customer ID.
+
+#### H7. No input validation
+- **ASVS:** V5.1.3
+- **Evidence:** Zod is installed but has zero imports. All validation is ad-hoc.
+
+#### H8. User enumeration on login
+- **ASVS:** V2.1.7
+- **File:** `server/api/auth/login.post.js:24-28`
+- **Evidence:** Returns 404 "No account found" vs success.
+
+#### H9. No security headers
+- **ASVS:** V9.1.1
+- **Evidence:** No CSP, HSTS, X-Frame-Options, or X-Content-Type-Options.
+
+---
+
+### MEDIUM
+
+| ID | ASVS | Finding | File |
+|----|------|---------|------|
+| M1 | V2.5.2 | 30-day static session token, no rotation | `verify.get.js:36` |
+| M2 | V10.2.2 | Slack signing secret defined but never used | `nuxt.config.ts:21` |
+| M3 | V7.4.1 | DevTools enabled unconditionally | `nuxt.config.ts:4` |
+| M4 | V7.1.1 | Console logging of payment data and API token substrings | `helcim/customer.post.js:42` |
+| M5 | V5.3.4 | Unescaped regex in directory search | `members/directory.get.js:49-51` |
+
+### LOW
+
+| ID | ASVS | Finding | File |
+|----|------|---------|------|
+| L1 | V2.1.7 | Timing-based enumeration via DB lookup | `auth/login.post.js` |
+| L2 | V5.1.3 | No email format validation on login | `auth/login.post.js:15` |
+
+---
+
+## Future Feature Risk Assessment
+
+| Planned Feature | Risk | Must Address First |
+|---|---|---|
+| Rich text member updates | Same XSS pattern as C3 | Fix markdown sanitization (C3) |
+| Resource library with downloads | Unauthenticated upload (H4), malware distribution | Add upload auth (H4), file validation |
+| Etherpad integration | External content rendered unsanitized | Build sanitization utility (C3) |
+| Cal.com integration | API credential exposure | Fix secret management (H3) |
+| Member-proposed events | No admin role model, no approval workflow | Build RBAC (C1) |
+| Advanced search/analytics | Regex injection (M5), privacy leakage | Fix regex escaping (M5) |
+
+---
+
+## Remediation Summary (Phases 0-1 + partial Phase 2)
+
+All work lives on branch `security/asvs-remediation`.
+
+### Auth guards (`server/utils/auth.js`)
+- `requireAuth(event)` -- Reads JWT from `auth-token` cookie, verifies against `jwtSecret`, loads member from DB, rejects suspended/cancelled accounts (403). Auto-imported by Nitro.
+- `requireAdmin(event)` -- Calls `requireAuth`, then checks `member.role === 'admin'` (403 if not). Member model gained `role` field (enum: `member`/`admin`, default `member`).
+- Applied to all `server/api/admin/`, `server/api/upload/`, and `server/api/helcim/` endpoints.
+
+### CSRF (`server/middleware/01.csrf.js` + `app/plugins/csrf.client.js`)
+- Double-submit cookie pattern. Middleware generates a random token cookie on first request, then enforces that POST/PATCH/DELETE to `/api/*` include a matching `x-csrf-token` header.
+- Client plugin reads the cookie and attaches the header on every `$fetch` request.
+- Exempt routes: `/api/helcim/webhook`, `/api/slack/webhook`, `/api/auth/verify`.
+
+### Security headers (`server/middleware/02.security-headers.js`)
+- Always: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `X-XSS-Protection: 0`, `Referrer-Policy: strict-origin-when-cross-origin`, `Permissions-Policy: camera=(), microphone=(), geolocation=()`.
+- Production only: HSTS (1 year, includeSubDomains) and CSP allowing Helcim, Cloudinary, and Plausible sources.
+
+### Rate limiting (`server/middleware/03.rate-limit.js`)
+- `rate-limiter-flexible` with in-memory stores, keyed by client IP.
+- Auth endpoints: 5 requests per 5 minutes. Payment endpoints: 10 per minute. Uploads: 10 per minute. General API: 100 per minute.
+- Returns 429 with `Retry-After` header on exhaustion.
+
+### XSS prevention
+- **Markdown** (`app/composables/useMarkdown.js`): `marked()` output sanitized through DOMPurify with explicit allowlists for tags and attributes. Strips script/iframe/object/embed/img and all event handler attributes.
+- **Email templates** (`server/utils/escapeHtml.js`): Pure function escaping `& < > " '` to HTML entities. Applied to all user-supplied interpolations in `server/utils/resend.js`.
+
+### Anti-enumeration (`server/api/auth/login.post.js`)
+- Login returns identical `{ success: true, message: "If this email is registered, we've sent a login link." }` for both existing and non-existing emails.
+
+### Mass assignment (`server/api/members/profile.patch.js`)
+- Explicit allowlist of profile fields. `helcimCustomerId`, `role`, `status`, `email`, `_id` are excluded from the `$set` update.
+
+### Session management
+- 7-day token expiry with refresh endpoint at `/api/auth/refresh`.
+
+---
+
+## Remediation Roadmap
+
+### Phase 0: Emergency (before any production traffic) -- COMPLETE
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 1 | C5 | Set `httpOnly: true`, `secure` conditional on NODE_ENV | V3.2.1 | Done |
+| 2 | C3 | Install `isomorphic-dompurify`, sanitize `marked()` output | V5.3.3 | Done |
+| 3 | C1 | Add `role` field to Member model, re-enable admin auth with role check | V4.1.1 | Done |
+| 4 | C2 | Call Helcim API in verify-payment to confirm transactions server-side | V10.2.1 | Done |
+| 5 | H3 | Throw on missing JWT_SECRET instead of fallback | V6.4.1 | Done |
+
+### Phase 1: Pre-launch (before public access) -- COMPLETE
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 6 | C4 | Create `escapeHtml()` utility, apply to all email template interpolations | V5.2.6 | Done |
+| 7 | H4 | Add JWT verification to upload endpoint | V4.1.3 | Done |
+| 8 | H5 | Add JWT verification to payment endpoints | V4.1.1 | Done |
+| 9 | H6 | Remove `helcimCustomerId` from `allowedFields` | V5.1.3 | Done |
+| 10 | H2 | Add CSRF double-submit cookie middleware (exempt webhooks) | V3.5.2 | Done |
+| 11 | H9 | Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers | V9.1.1 | Done |
+| 12 | H1 | Add rate limiting to login, registration, upload, payment | V13.2.5 | Done |
+| 13 | H8 | Return identical response for existing/non-existing accounts | V2.1.7 | Done |
+| 14 | -- | Add `status: 'active'` check to auth endpoints | V4.1.1 | Done |
+
+### Phase 2: Hardening (within 30 days of launch) -- PARTIAL
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 15 | H7 | Implement Zod validation across all API endpoints | V5.1.3 | Open |
+| 16 | M5 | Escape regex in directory search | V5.3.4 | Open |
+| 17 | M4 | Remove sensitive console.log statements | V7.1.1 | Open |
+| 18 | M3 | Make devtools conditional on NODE_ENV | V7.4.1 | Open |
+| 19 | M1 | Shorter session tokens (7d) with refresh endpoint | V2.5.2 | Done |
+| 20 | -- | Create shared `requireAuth()`/`requireAdmin()` utilities | V4.1.1 | Done |
+
+### Phase 3: Before building planned features
+
+| # | Fix | Status |
+|---|-----|--------|
+| 21 | Build sanitization utility (DOMPurify wrapper) for all user-generated HTML | Open |
+| 22 | Design admin role model with granular permissions | Open |
+| 23 | Implement file validation pipeline (type, size, virus scanning) | Open |
+| 24 | Design credential management patterns (encrypted at rest) | Open |
+
+---
+
+## Automated Testing
+
+### Framework
+
+Vitest with two test projects:
+
+- **Server tests** (`tests/server/`): Node.js environment, h3 globals stubbed from real h3 functions
+- **Client tests** (`tests/client/`): jsdom environment for browser-side composables
+
+```bash
+npm run test       # Watch mode
+npm run test:run   # Single run (CI)
+```
+
+### Infrastructure
+
+- `tests/server/setup.js` -- Stubs real h3 functions (`getCookie`, `setCookie`, `getMethod`, `getHeader`, `setHeader`, `getRequestURL`, `createError`, `defineEventHandler`, `readBody`, etc.) as globals to simulate Nitro auto-imports. Also stubs `useRuntimeConfig`.
+- `tests/server/helpers/createMockEvent.js` -- Factory that builds real h3 events from Node.js `IncomingMessage`/`ServerResponse` pairs. Accepts `method`, `path`, `headers`, `cookies`, `body`, and `remoteAddress`. Captures response headers via `event._testSetHeaders` for assertions.
+
+### Test Coverage (79 tests across 8 files)
+
+| File | Tests | Security Controls Verified |
+|------|-------|---------------------------|
+| `tests/server/utils/escapeHtml.test.js` | 12 | All 5 HTML entity escapes, null/undefined handling, `<script>` and `<img onerror>` XSS payloads (C4, V5.2.6) |
+| `tests/client/composables/useMarkdown.test.js` | 18 | Script/iframe/object/embed tags stripped, onerror/onclick attrs stripped, javascript: URIs sanitized, safe markdown preserved (C3, V5.3.3) |
+| `tests/server/middleware/csrf.test.js` | 14 | GET/HEAD/OPTIONS bypass, non-API bypass, webhook exemptions, 403 on missing/mismatched token, PATCH/DELETE enforcement, cookie provisioning (H2, V3.5.2) |
+| `tests/server/middleware/security-headers.test.js` | 12 | X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy always set; HSTS + CSP production-only; CSP includes Helcim/Cloudinary/Plausible sources (H9, V9.1.1) |
+| `tests/server/middleware/rate-limit.test.js` | 4 | Auth endpoint 5/5min limit, payment endpoint 10/min limit, IP isolation between clients (H1, V13.2.5) |
+| `tests/server/utils/auth.test.js` | 8 | No cookie = 401, invalid JWT = 401, member not found = 401, suspended = 403, cancelled = 403, active = returns member, non-admin = 403, admin = returns member (C1, V4.1.1) |
+| `tests/server/api/auth-login.test.js` | 4 | Existing and non-existing emails return identical response shape and message, missing email = 400 (H8, V2.1.7) |
+| `tests/server/api/members-profile-patch.test.js` | 7 | `helcimCustomerId`, `role`, `status`, `email`, `_id` blocked from `$set`; allowed fields (`pronouns`, `bio`, `studio`, etc.) and nested objects (`offering`, `lookingFor`) pass through (H6, V5.1.3) |
+
+### Manual Test Cases
+
+These items require browser or network-level verification and are not covered by automated tests:
+
+**Item 1 (Cookie flags):** Open DevTools > Application > Cookies. Verify `auth-token` has `HttpOnly: true`. Run `document.cookie` in console -- `auth-token` must NOT appear. Auth flow must still work.
+
+**Item 4 (Payment verification):** Fake `cardToken` = failure. Real HelcimPay.js flow in test mode = success.
+
+**Item 5 (JWT fallback):** Unset `JWT_SECRET`, start server = crash with clear error. Set it = normal startup.
+
+**Item 7 (Upload auth):** POST `/api/upload/image` with no cookie = 401. With valid auth = success.
+
+**Item 8 (Payment auth):** Each endpoint with no cookie = 401. Full join flow still completes.
+
+### Integration verification (after each phase)
+
+- `npm run test:run` -- all 79 tests pass
+- `npm run build` succeeds
+- Full join flow: free tier + paid tier
+- Full login flow: magic link request, click, redirect to `/members`
+- Profile editing: avatar upload, bio update, privacy settings
+- Admin pages: access control verified
+- `curl` against hardened endpoints: unauthenticated = rejected
diff --git a/package-lock.json b/package-lock.json
index 175196e..1cf5acf 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -18,11 +18,13 @@
         "chrono-node": "^2.8.4",
         "cloudinary": "^2.7.0",
         "eslint": "^9.34.0",
+        "isomorphic-dompurify": "^3.0.0",
         "jsonwebtoken": "^9.0.2",
         "marked": "^17.0.3",
         "mongoose": "^8.18.0",
         "nitro-cors": "^0.7.1",
         "nuxt": "^4.0.3",
+        "rate-limiter-flexible": "^9.1.1",
         "resend": "^6.0.1",
         "typescript": "^5.9.2",
         "vue": "^3.5.20",
@@ -30,9 +32,18 @@
         "zod": "^4.1.3"
       },
       "devDependencies": {
-        "@tailwindcss/typography": "^0.5.19"
+        "@nuxt/test-utils": "^4.0.0",
+        "@tailwindcss/typography": "^0.5.19",
+        "jsdom": "^28.1.0",
+        "vitest": "^4.0.18"
       }
     },
+    "node_modules/@acemir/cssom": {
+      "version": "0.9.31",
+      "resolved": "https://registry.npmjs.org/@acemir/cssom/-/cssom-0.9.31.tgz",
+      "integrity": "sha512-ZnR3GSaH+/vJ0YlHau21FjfLYjMpYVIzTD8M8vIEQvIGxeOXyXdzCI140rrCY862p/C/BbzWsjc1dgnM9mkoTA==",
+      "license": "MIT"
+    },
     "node_modules/@alloc/quick-lru": {
       "version": "5.2.0",
       "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz",
@@ -76,6 +87,59 @@
         "@types/json-schema": "^7.0.15"
       }
     },
+    "node_modules/@asamuzakjp/css-color": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.0.1.tgz",
+      "integrity": "sha512-2SZFvqMyvboVV1d15lMf7XiI3m7SDqXUuKaTymJYLN6dSGadqp+fVojqJlVoMlbZnlTmu3S0TLwLTJpvBMO1Aw==",
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/css-calc": "^3.1.1",
+        "@csstools/css-color-parser": "^4.0.2",
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0",
+        "lru-cache": "^11.2.6"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/css-color/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector": {
+      "version": "6.8.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-6.8.1.tgz",
+      "integrity": "sha512-MvRz1nCqW0fsy8Qz4dnLIvhOlMzqDVBabZx6lH+YywFDdjXhMY37SmpV1XFX3JzG5GWHn63j6HX6QPr3lZXHvQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/nwsapi": "^2.3.9",
+        "bidi-js": "^1.0.3",
+        "css-tree": "^3.1.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "lru-cache": "^11.2.6"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@asamuzakjp/nwsapi": {
+      "version": "2.3.9",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+      "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
+      "license": "MIT"
+    },
     "node_modules/@babel/code-frame": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -498,6 +562,18 @@
         }
       }
     },
+    "node_modules/@bramus/specificity": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+      "license": "MIT",
+      "dependencies": {
+        "css-tree": "^3.0.0"
+      },
+      "bin": {
+        "specificity": "bin/cli.js"
+      }
+    },
     "node_modules/@capsizecss/unpack": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@capsizecss/unpack/-/unpack-4.0.0.tgz",
@@ -581,6 +657,132 @@
         "@cloudinary/html": "^1.13.5"
       }
     },
+    "node_modules/@csstools/color-helpers": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
+    "node_modules/@csstools/css-calc": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.1.1.tgz",
+      "integrity": "sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-color-parser": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.0.2.tgz",
+      "integrity": "sha512-0GEfbBLmTFf0dJlpsNU7zwxRIH0/BGEMuXLTCvFYxuL1tNhqzTbtnFICyJLTNK4a+RechKP75e7w42ClXSnJQw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/color-helpers": "^6.0.2",
+        "@csstools/css-calc": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-syntax-patches-for-csstree": {
+      "version": "1.0.28",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.28.tgz",
+      "integrity": "sha512-1NRf1CUBjnr3K7hu8BLxjQrKCxEe8FP/xmPTenAxCRZWVLbmGotkFvG9mfNpjA6k7Bw1bw4BilZq9cu19RA5pg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0"
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
     "node_modules/@dxup/nuxt": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/@dxup/nuxt/-/nuxt-0.3.2.tgz",
@@ -1369,6 +1571,23 @@
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
       }
     },
+    "node_modules/@exodus/bytes": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.14.1.tgz",
+      "integrity": "sha512-OhkBFWI6GcRMUroChZiopRiSp2iAMvEBK47NhJooDqz1RERO4QuZIZnjP63TXX8GAiLABkYmX+fuQsdJ1dd2QQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@noble/hashes": "^1.8.0 || ^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@noble/hashes": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@floating-ui/core": {
       "version": "1.7.4",
       "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.4.tgz",
@@ -2311,6 +2530,223 @@
       "integrity": "sha512-zpYTCs2byOuft65vI3z43Dd6iSdFbOZZLb9/d21aCpx2rGastVU9dOCv0lu4ykc1Ur1anAYjDi3SUvR0vq50JA==",
       "license": "MIT"
     },
+    "node_modules/@nuxt/test-utils": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@nuxt/test-utils/-/test-utils-4.0.0.tgz",
+      "integrity": "sha512-QJfyCiqYxflUKA5xlEGuXdDApTBhJxoPXxYePIDtA90hkmKbhYs/mrMM+Bi9LiUrI/cCJOPRyIx9jOzhMvTIgg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@clack/prompts": "1.0.0",
+        "@nuxt/devtools-kit": "^2.7.0",
+        "@nuxt/kit": "^3.21.0",
+        "c12": "^3.3.3",
+        "consola": "^3.4.2",
+        "defu": "^6.1.4",
+        "destr": "^2.0.5",
+        "estree-walker": "^3.0.3",
+        "exsolve": "^1.0.8",
+        "fake-indexeddb": "^6.2.5",
+        "get-port-please": "^3.2.0",
+        "h3": "^1.15.5",
+        "h3-next": "npm:h3@2.0.1-rc.11",
+        "local-pkg": "^1.1.2",
+        "magic-string": "^0.30.21",
+        "node-fetch-native": "^1.6.7",
+        "node-mock-http": "^1.0.4",
+        "nypm": "^0.6.4",
+        "ofetch": "^1.5.1",
+        "pathe": "^2.0.3",
+        "perfect-debounce": "^2.1.0",
+        "radix3": "^1.1.2",
+        "scule": "^1.3.0",
+        "std-env": "^3.10.0",
+        "tinyexec": "^1.0.2",
+        "ufo": "^1.6.3",
+        "unplugin": "^3.0.0",
+        "vitest-environment-nuxt": "^1.0.1",
+        "vue": "^3.5.27"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@cucumber/cucumber": ">=11.0.0",
+        "@jest/globals": ">=30.0.0",
+        "@playwright/test": "^1.43.1",
+        "@testing-library/vue": "^8.0.1",
+        "@vue/test-utils": "^2.4.2",
+        "happy-dom": ">=20.0.11",
+        "jsdom": ">=27.4.0",
+        "playwright-core": "^1.43.1",
+        "vitest": "^4.0.2"
+      },
+      "peerDependenciesMeta": {
+        "@cucumber/cucumber": {
+          "optional": true
+        },
+        "@jest/globals": {
+          "optional": true
+        },
+        "@playwright/test": {
+          "optional": true
+        },
+        "@testing-library/vue": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "@vue/test-utils": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        },
+        "playwright-core": {
+          "optional": true
+        },
+        "vitest": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@clack/core": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@clack/core/-/core-1.0.0.tgz",
+      "integrity": "sha512-Orf9Ltr5NeiEuVJS8Rk2XTw3IxNC2Bic3ash7GgYeA8LJ/zmSNpSQ/m5UAhe03lA6KFgklzZ5KTHs4OAMA/SAQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "picocolors": "^1.0.0",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@clack/prompts": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@clack/prompts/-/prompts-1.0.0.tgz",
+      "integrity": "sha512-rWPXg9UaCFqErJVQ+MecOaWsozjaxol4yjnmYcGNipAWzdaWa2x+VJmKfGq7L0APwBohQOYdHC+9RO4qRXej+A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@clack/core": "1.0.0",
+        "picocolors": "^1.0.0",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@nuxt/devtools-kit": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@nuxt/devtools-kit/-/devtools-kit-2.7.0.tgz",
+      "integrity": "sha512-MIJdah6CF6YOW2GhfKnb8Sivu6HpcQheqdjOlZqShBr+1DyjtKQbAKSCAyKPaoIzZP4QOo2SmTFV6aN8jBeEIQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nuxt/kit": "^3.19.3",
+        "execa": "^8.0.1"
+      },
+      "peerDependencies": {
+        "vite": ">=6.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@nuxt/kit": {
+      "version": "3.21.1",
+      "resolved": "https://registry.npmjs.org/@nuxt/kit/-/kit-3.21.1.tgz",
+      "integrity": "sha512-QORZRjcuTKgo++XP1Pc2c2gqwRydkaExrIRfRI9vFsPA3AzuHVn5Gfmbv1ic8y34e78mr5DMBvJlelUaeOuajg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "c12": "^3.3.3",
+        "consola": "^3.4.2",
+        "defu": "^6.1.4",
+        "destr": "^2.0.5",
+        "errx": "^0.1.0",
+        "exsolve": "^1.0.8",
+        "ignore": "^7.0.5",
+        "jiti": "^2.6.1",
+        "klona": "^2.0.6",
+        "knitwork": "^1.3.0",
+        "mlly": "^1.8.0",
+        "ohash": "^2.0.11",
+        "pathe": "^2.0.3",
+        "pkg-types": "^2.3.0",
+        "rc9": "^3.0.0",
+        "scule": "^1.3.0",
+        "semver": "^7.7.4",
+        "tinyglobby": "^0.2.15",
+        "ufo": "^1.6.3",
+        "unctx": "^2.5.0",
+        "untyped": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18.12.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/crossws": {
+      "version": "0.4.4",
+      "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.4.4.tgz",
+      "integrity": "sha512-w6c4OdpRNnudVmcgr7brb/+/HmYjMQvYToO/oTrprTwxRUiom3LYWU1PMWuD006okbUWpII1Ea9/+kwpUfmyRg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "peer": true,
+      "peerDependencies": {
+        "srvx": ">=0.7.1"
+      },
+      "peerDependenciesMeta": {
+        "srvx": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/h3-next": {
+      "name": "h3",
+      "version": "2.0.1-rc.11",
+      "resolved": "https://registry.npmjs.org/h3/-/h3-2.0.1-rc.11.tgz",
+      "integrity": "sha512-2myzjCqy32c1As9TjZW9fNZXtLqNedjFSrdFy2AjFBQQ3LzrnGoDdFDYfC0tV2e4vcyfJ2Sfo/F6NQhO2Ly/Mw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "rou3": "^0.7.12",
+        "srvx": "^0.10.1"
+      },
+      "engines": {
+        "node": ">=20.11.1"
+      },
+      "peerDependencies": {
+        "crossws": "^0.4.1"
+      },
+      "peerDependenciesMeta": {
+        "crossws": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/srvx": {
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/srvx/-/srvx-0.10.1.tgz",
+      "integrity": "sha512-A//xtfak4eESMWWydSRFUVvCTQbSwivnGCEf8YGPe2eHU0+Z6znfUTCPF0a7oV3sObSOcrXHlL6Bs9vVctfXdg==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "srvx": "bin/srvx.mjs"
+      },
+      "engines": {
+        "node": ">=20.16.0"
+      }
+    },
     "node_modules/@nuxt/ui": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@nuxt/ui/-/ui-4.5.0.tgz",
@@ -5527,6 +5963,24 @@
         "tslib": "^2.4.0"
       }
     },
+    "node_modules/@types/chai": {
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/deep-eql": "*",
+        "assertion-error": "^2.0.1"
+      }
+    },
+    "node_modules/@types/deep-eql": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
+      "integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/estree": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
@@ -5606,6 +6060,13 @@
       "integrity": "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==",
       "license": "MIT"
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/web-bluetooth": {
       "version": "0.0.21",
       "resolved": "https://registry.npmjs.org/@types/web-bluetooth/-/web-bluetooth-0.0.21.tgz",
@@ -6204,6 +6665,127 @@
         "vue": "^3.0.0"
       }
     },
+    "node_modules/@vitest/expect": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.0.18.tgz",
+      "integrity": "sha512-8sCWUyckXXYvx4opfzVY03EOiYVxyNrHS5QxX3DAIi5dpJAAkyJezHCP77VMX4HKA2LDT/Jpfo8i2r5BE3GnQQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@standard-schema/spec": "^1.0.0",
+        "@types/chai": "^5.2.2",
+        "@vitest/spy": "4.0.18",
+        "@vitest/utils": "4.0.18",
+        "chai": "^6.2.1",
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/mocker": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.0.18.tgz",
+      "integrity": "sha512-HhVd0MDnzzsgevnOWCBj5Otnzobjy5wLBe4EdeeFGv8luMsGcYqDuFRMcttKWZA5vVO8RFjexVovXvAM4JoJDQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/spy": "4.0.18",
+        "estree-walker": "^3.0.3",
+        "magic-string": "^0.30.21"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "msw": "^2.4.9",
+        "vite": "^6.0.0 || ^7.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "msw": {
+          "optional": true
+        },
+        "vite": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@vitest/mocker/node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
+    "node_modules/@vitest/pretty-format": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.0.18.tgz",
+      "integrity": "sha512-P24GK3GulZWC5tz87ux0m8OADrQIUVDPIjjj65vBXYG17ZeU3qD7r+MNZ1RNv4l8CGU2vtTRqixrOi9fYk/yKw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/runner": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.0.18.tgz",
+      "integrity": "sha512-rpk9y12PGa22Jg6g5M3UVVnTS7+zycIGk9ZNGN+m6tZHKQb7jrP7/77WfZy13Y/EUDd52NDsLRQhYKtv7XfPQw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/utils": "4.0.18",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/snapshot": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.0.18.tgz",
+      "integrity": "sha512-PCiV0rcl7jKQjbgYqjtakly6T1uwv/5BQ9SwBLekVg/EaYeQFPiXcgrC2Y7vDMA8dM1SUEAEV82kgSQIlXNMvA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.0.18",
+        "magic-string": "^0.30.21",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/spy": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.0.18.tgz",
+      "integrity": "sha512-cbQt3PTSD7P2OARdVW3qWER5EGq7PHlvE+QfzSC0lbwO+xnt7+XH06ZzFjFRgzUX//JmpxrCu92VdwvEPlWSNw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/utils": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.0.18.tgz",
+      "integrity": "sha512-msMRKLMVLWygpK3u2Hybgi4MNjcYJvwTb0Ru09+fOyCXIgT5raYP041DRRdiJiI3k/2U6SEbAETB3YtBrUkCFA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.0.18",
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
     "node_modules/@volar/language-core": {
       "version": "2.4.28",
       "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.4.28.tgz",
@@ -6848,6 +7430,16 @@
         "node": ">=10"
       }
     },
+    "node_modules/assertion-error": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+      "integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      }
+    },
     "node_modules/ast-kit": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/ast-kit/-/ast-kit-2.2.0.tgz",
@@ -7023,6 +7615,15 @@
         "bcrypt": "bin/bcrypt"
       }
     },
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
+      }
+    },
     "node_modules/bindings": {
       "version": "1.5.0",
       "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
@@ -7301,6 +7902,16 @@
       ],
       "license": "CC-BY-4.0"
     },
+    "node_modules/chai": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
+      "integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/chalk": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -7855,12 +8466,84 @@
       "integrity": "sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==",
       "license": "CC0-1.0"
     },
+    "node_modules/cssstyle": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-6.1.0.tgz",
+      "integrity": "sha512-Ml4fP2UT2K3CUBQnVlbdV/8aFDdlY69E+YnwJM+3VUWl08S3J8c8aRuJqCkD9Py8DHZ7zNNvsfKl8psocHZEFg==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/css-color": "^5.0.0",
+        "@csstools/css-syntax-patches-for-csstree": "^1.0.28",
+        "css-tree": "^3.1.0",
+        "lru-cache": "^11.2.6"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/cssstyle/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/csstype": {
       "version": "3.2.3",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
       "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
       "license": "MIT"
     },
+    "node_modules/data-urls": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+      "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
+      "license": "MIT",
+      "dependencies": {
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/data-urls/node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/data-urls/node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/data-urls/node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/db0": {
       "version": "0.3.4",
       "resolved": "https://registry.npmjs.org/db0/-/db0-0.3.4.tgz",
@@ -7912,6 +8595,12 @@
         }
       }
     },
+    "node_modules/decimal.js": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+      "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
+      "license": "MIT"
+    },
     "node_modules/deep-is": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -8080,6 +8769,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
+      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
@@ -9101,12 +9799,32 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/expect-type": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/exsolve": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/exsolve/-/exsolve-1.0.8.tgz",
       "integrity": "sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==",
       "license": "MIT"
     },
+    "node_modules/fake-indexeddb": {
+      "version": "6.2.5",
+      "resolved": "https://registry.npmjs.org/fake-indexeddb/-/fake-indexeddb-6.2.5.tgz",
+      "integrity": "sha512-CGnyrvbhPlWYMngksqrSSUT1BAVP49dZocrHuK0SvtR0D5TMs5wP0o3j7jexDJW01KSadjBp1M/71o/KR3nD1w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -9761,6 +10479,18 @@
       "integrity": "sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==",
       "license": "MIT"
     },
+    "node_modules/html-encoding-sniffer": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+      "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.6.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/html-entities": {
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.6.0.tgz",
@@ -9797,6 +10527,19 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/http-proxy-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
+      "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
+      "license": "MIT",
+      "dependencies": {
+        "agent-base": "^7.1.0",
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/http-shutdown": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/http-shutdown/-/http-shutdown-1.2.2.tgz",
@@ -10137,6 +10880,12 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "license": "MIT"
+    },
     "node_modules/is-reference": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-1.2.1.tgz",
@@ -10212,6 +10961,19 @@
       "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
       "license": "ISC"
     },
+    "node_modules/isomorphic-dompurify": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/isomorphic-dompurify/-/isomorphic-dompurify-3.0.0.tgz",
+      "integrity": "sha512-5K+MYP7Nrg74+Bi+QmQGzQ/FgEOyVHWsN8MuJy5wYQxxBRxPnWsD25Tjjt5FWYhan3OQ+vNLubyNJH9dfG03lQ==",
+      "license": "MIT",
+      "dependencies": {
+        "dompurify": "^3.3.1",
+        "jsdom": "^28.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/isomorphic.js": {
       "version": "0.2.5",
       "resolved": "https://registry.npmjs.org/isomorphic.js/-/isomorphic.js-0.2.5.tgz",
@@ -10274,6 +11036,90 @@
         "node": ">=20.0.0"
       }
     },
+    "node_modules/jsdom": {
+      "version": "28.1.0",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-28.1.0.tgz",
+      "integrity": "sha512-0+MoQNYyr2rBHqO1xilltfDjV9G7ymYGlAUazgcDLQaUf8JDHbuGwsxN6U9qWaElZ4w1B2r7yEGIL3GdeW3Rug==",
+      "license": "MIT",
+      "dependencies": {
+        "@acemir/cssom": "^0.9.31",
+        "@asamuzakjp/dom-selector": "^6.8.1",
+        "@bramus/specificity": "^2.4.2",
+        "@exodus/bytes": "^1.11.0",
+        "cssstyle": "^6.0.1",
+        "data-urls": "^7.0.0",
+        "decimal.js": "^10.6.0",
+        "html-encoding-sniffer": "^6.0.0",
+        "http-proxy-agent": "^7.0.2",
+        "https-proxy-agent": "^7.0.6",
+        "is-potential-custom-element-name": "^1.0.1",
+        "parse5": "^8.0.0",
+        "saxes": "^6.0.0",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^6.0.0",
+        "undici": "^7.21.0",
+        "w3c-xmlserializer": "^5.0.0",
+        "webidl-conversions": "^8.0.1",
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0",
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "canvas": "^3.0.0"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jsdom/node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/jsdom/node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/jsdom/node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/jsdom/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/jsesc": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
@@ -12244,6 +13090,30 @@
       "integrity": "sha512-HlsyYdMBnbPQ9Jr/VgJ1YF4scnldvJpJxCVx6KgqPL4dxppsWrJHCIIxQXMJrqGnsRkNPATbeMJ8Yxu7JMsYcA==",
       "license": "MIT"
     },
+    "node_modules/parse5": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz",
+      "integrity": "sha512-9m4m5GSgXjL4AjumKzq1Fgfp3Z8rsvjRNbnkVwfu2ImRqE5D0LnY2QfDen18FSY9C573YU5XxSapdHZTZ2WolA==",
+      "license": "MIT",
+      "dependencies": {
+        "entities": "^6.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/inikulin/parse5?sponsor=1"
+      }
+    },
+    "node_modules/parse5/node_modules/entities": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz",
+      "integrity": "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -13234,6 +14104,12 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/rate-limiter-flexible": {
+      "version": "9.1.1",
+      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-9.1.1.tgz",
+      "integrity": "sha512-imxFjzPCmvDLMe7d2tsgiSQvs5EI2fI9SNymmslAfOqznZhsZ+PqbIjIYKpuSbd3pKovR1aMG47qfCLIO/adVg==",
+      "license": "ISC"
+    },
     "node_modules/rc9": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/rc9/-/rc9-3.0.0.tgz",
@@ -13410,6 +14286,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/resend": {
       "version": "6.9.2",
       "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.2.tgz",
@@ -13662,6 +14547,18 @@
         "node": ">=11.0.0"
       }
     },
+    "node_modules/saxes": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+      "license": "ISC",
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=v12.22.7"
+      }
+    },
     "node_modules/scslre": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/scslre/-/scslre-0.3.0.tgz",
@@ -13836,6 +14733,13 @@
       "integrity": "sha512-Rtlj66/b0ICeFzYTuNvX/EF1igRbbnGSvEyT79McoZa/DeGhMyC5pWKOEsZKnpkqtSeovd5FL/bjHWC3CIIvCQ==",
       "license": "MIT"
     },
+    "node_modules/siginfo": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+      "integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/signal-exit": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
@@ -14002,6 +14906,13 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/stackback": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/standard-as-callback": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz",
@@ -14276,6 +15187,12 @@
         "uuid": "^10.0.0"
       }
     },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "license": "MIT"
+    },
     "node_modules/system-architecture": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/system-architecture/-/system-architecture-0.1.0.tgz",
@@ -14429,6 +15346,13 @@
       "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==",
       "license": "MIT"
     },
+    "node_modules/tinybench": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/tinyexec": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
@@ -14454,6 +15378,34 @@
         "url": "https://github.com/sponsors/SuperchupuDev"
       }
     },
+    "node_modules/tinyrainbow": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
+      "integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/tldts": {
+      "version": "7.0.23",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.23.tgz",
+      "integrity": "sha512-ASdhgQIBSay0R/eXggAkQ53G4nTJqTXqC2kbaBbdDwM7SkjyZyO0OaaN1/FH7U/yCeqOHDwFO5j8+Os/IS1dXw==",
+      "license": "MIT",
+      "dependencies": {
+        "tldts-core": "^7.0.23"
+      },
+      "bin": {
+        "tldts": "bin/cli.js"
+      }
+    },
+    "node_modules/tldts-core": {
+      "version": "7.0.23",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.23.tgz",
+      "integrity": "sha512-0g9vrtDQLrNIiCj22HSe9d4mLVG3g5ph5DZ8zCKBr4OtrspmNB6ss7hVyzArAeE88ceZocIEGkyW1Ime7fxPtQ==",
+      "license": "MIT"
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -14500,6 +15452,18 @@
         "node": ">=6"
       }
     },
+    "node_modules/tough-cookie": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.0.tgz",
+      "integrity": "sha512-kXuRi1mtaKMrsLUxz3sQYvVl37B0Ns6MzfrtV5DvJceE9bPyspOqk9xxv7XbZWcfLWbFmm997vl83qUWVJA64w==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "tldts": "^7.0.5"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
     "node_modules/tr46": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.1.1.tgz",
@@ -14636,6 +15600,15 @@
         "node": ">=18.12.0"
       }
     },
+    "node_modules/undici": {
+      "version": "7.22.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
+      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    },
     "node_modules/undici-types": {
       "version": "7.18.2",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
@@ -15711,6 +16684,101 @@
         "@types/estree": "^1.0.0"
       }
     },
+    "node_modules/vitest": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.18.tgz",
+      "integrity": "sha512-hOQuK7h0FGKgBAas7v0mSAsnvrIgAvWmRFjmzpJ7SwFHH3g1k2u37JtYwOwmEKhK6ZO3v9ggDBBm0La1LCK4uQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/expect": "4.0.18",
+        "@vitest/mocker": "4.0.18",
+        "@vitest/pretty-format": "4.0.18",
+        "@vitest/runner": "4.0.18",
+        "@vitest/snapshot": "4.0.18",
+        "@vitest/spy": "4.0.18",
+        "@vitest/utils": "4.0.18",
+        "es-module-lexer": "^1.7.0",
+        "expect-type": "^1.2.2",
+        "magic-string": "^0.30.21",
+        "obug": "^2.1.1",
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.3",
+        "std-env": "^3.10.0",
+        "tinybench": "^2.9.0",
+        "tinyexec": "^1.0.2",
+        "tinyglobby": "^0.2.15",
+        "tinyrainbow": "^3.0.3",
+        "vite": "^6.0.0 || ^7.0.0",
+        "why-is-node-running": "^2.3.0"
+      },
+      "bin": {
+        "vitest": "vitest.mjs"
+      },
+      "engines": {
+        "node": "^20.0.0 || ^22.0.0 || >=24.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@edge-runtime/vm": "*",
+        "@opentelemetry/api": "^1.9.0",
+        "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
+        "@vitest/browser-playwright": "4.0.18",
+        "@vitest/browser-preview": "4.0.18",
+        "@vitest/browser-webdriverio": "4.0.18",
+        "@vitest/ui": "4.0.18",
+        "happy-dom": "*",
+        "jsdom": "*"
+      },
+      "peerDependenciesMeta": {
+        "@edge-runtime/vm": {
+          "optional": true
+        },
+        "@opentelemetry/api": {
+          "optional": true
+        },
+        "@types/node": {
+          "optional": true
+        },
+        "@vitest/browser-playwright": {
+          "optional": true
+        },
+        "@vitest/browser-preview": {
+          "optional": true
+        },
+        "@vitest/browser-webdriverio": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/vitest-environment-nuxt": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/vitest-environment-nuxt/-/vitest-environment-nuxt-1.0.1.tgz",
+      "integrity": "sha512-eBCwtIQriXW5/M49FjqNKfnlJYlG2LWMSNFsRVKomc8CaMqmhQPBS5LZ9DlgYL9T8xIVsiA6RZn2lk7vxov3Ow==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nuxt/test-utils": ">=3.13.1"
+      }
+    },
+    "node_modules/vitest/node_modules/es-module-lexer": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
+      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/vscode-uri": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
@@ -15815,6 +16883,27 @@
       "integrity": "sha512-dpojBhNsCNN7T82Tm7k26A6G9ML3NkhDsnw9n/eoxSRlVBB4CEtIQ/KTCLI2Fwf3ataSXRhYFkQi3SlnFwPvPQ==",
       "license": "MIT"
     },
+    "node_modules/w3c-xmlserializer": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+      "license": "MIT",
+      "dependencies": {
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/w3c-xmlserializer/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/webidl-conversions": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
@@ -15830,6 +16919,15 @@
       "integrity": "sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==",
       "license": "MIT"
     },
+    "node_modules/whatwg-mimetype": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+      "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
     "node_modules/whatwg-url": {
       "version": "14.2.0",
       "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.2.0.tgz",
@@ -15867,6 +16965,23 @@
         "node": ">= 8"
       }
     },
+    "node_modules/why-is-node-running": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+      "integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "siginfo": "^2.0.0",
+        "stackback": "0.0.2"
+      },
+      "bin": {
+        "why-is-node-running": "cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/word-wrap": {
       "version": "1.2.5",
       "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
@@ -15956,6 +17071,12 @@
         "node": ">=12"
       }
     },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "license": "MIT"
+    },
     "node_modules/y-protocols": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/y-protocols/-/y-protocols-1.0.7.tgz",
diff --git a/package.json b/package.json
index 4d998b9..dd20eb1 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,9 @@
     "dev": "nuxt dev",
     "generate": "nuxt generate",
     "preview": "nuxt preview",
-    "postinstall": "nuxt prepare"
+    "postinstall": "nuxt prepare",
+    "test": "vitest",
+    "test:run": "vitest run"
   },
   "dependencies": {
     "@cloudinary/vue": "^1.13.3",
@@ -21,11 +23,13 @@
     "chrono-node": "^2.8.4",
     "cloudinary": "^2.7.0",
     "eslint": "^9.34.0",
+    "isomorphic-dompurify": "^3.0.0",
     "jsonwebtoken": "^9.0.2",
     "marked": "^17.0.3",
     "mongoose": "^8.18.0",
     "nitro-cors": "^0.7.1",
     "nuxt": "^4.0.3",
+    "rate-limiter-flexible": "^9.1.1",
     "resend": "^6.0.1",
     "typescript": "^5.9.2",
     "vue": "^3.5.20",
@@ -33,6 +37,9 @@
     "zod": "^4.1.3"
   },
   "devDependencies": {
-    "@tailwindcss/typography": "^0.5.19"
+    "@nuxt/test-utils": "^4.0.0",
+    "@tailwindcss/typography": "^0.5.19",
+    "jsdom": "^28.1.0",
+    "vitest": "^4.0.18"
   }
 }
diff --git a/tests/client/composables/useMarkdown.test.js b/tests/client/composables/useMarkdown.test.js
new file mode 100644
index 0000000..c78e6b0
--- /dev/null
+++ b/tests/client/composables/useMarkdown.test.js
@@ -0,0 +1,110 @@
+import { describe, it, expect } from 'vitest'
+import { useMarkdown } from '../../../app/composables/useMarkdown.js'
+
+describe('useMarkdown', () => {
+  const { render } = useMarkdown()
+
+  describe('XSS prevention', () => {
+    it('strips script tags', () => {
+      const result = render('Hello <script>alert("xss")</script> world')
+      expect(result).not.toContain('<script>')
+      expect(result).not.toContain('</script>')
+      expect(result).toContain('Hello')
+      expect(result).toContain('world')
+    })
+
+    it('strips onerror attributes', () => {
+      const result = render('<img onerror="alert(1)" src="x">')
+      expect(result).not.toContain('onerror')
+    })
+
+    it('strips onclick attributes', () => {
+      const result = render('<a onclick="alert(1)" href="#">click</a>')
+      expect(result).not.toContain('onclick')
+    })
+
+    it('strips iframe tags', () => {
+      const result = render('<iframe src="https://evil.com"></iframe>')
+      expect(result).not.toContain('<iframe')
+    })
+
+    it('strips object tags', () => {
+      const result = render('<object data="exploit.swf"></object>')
+      expect(result).not.toContain('<object')
+    })
+
+    it('strips embed tags', () => {
+      const result = render('<embed src="exploit.swf">')
+      expect(result).not.toContain('<embed')
+    })
+
+    it('sanitizes javascript: URIs', () => {
+      const result = render('[click me](javascript:alert(1))')
+      expect(result).not.toContain('javascript:')
+    })
+
+    it('strips img tags (not in allowed list)', () => {
+      const result = render('![alt](https://example.com/img.png)')
+      expect(result).not.toContain('<img')
+    })
+  })
+
+  describe('preserves safe markdown', () => {
+    it('renders bold and italic', () => {
+      const result = render('**bold** and *italic*')
+      expect(result).toContain('<strong>bold</strong>')
+      expect(result).toContain('<em>italic</em>')
+    })
+
+    it('renders links with href', () => {
+      const result = render('[Ghost Guild](https://ghostguild.org)')
+      expect(result).toContain('<a')
+      expect(result).toContain('href="https://ghostguild.org"')
+    })
+
+    it('preserves headings h1-h6', () => {
+      for (let i = 1; i <= 6; i++) {
+        const hashes = '#'.repeat(i)
+        const result = render(`${hashes} Heading ${i}`)
+        expect(result).toContain(`<h${i}>`)
+      }
+    })
+
+    it('preserves code blocks', () => {
+      const result = render('`inline code` and\n\n```\nblock code\n```')
+      expect(result).toContain('<code>')
+      expect(result).toContain('<pre>')
+    })
+
+    it('preserves blockquotes', () => {
+      const result = render('> This is a quote')
+      expect(result).toContain('<blockquote>')
+    })
+
+    it('preserves lists', () => {
+      const result = render('- item 1\n- item 2')
+      expect(result).toContain('<ul>')
+      expect(result).toContain('<li>')
+    })
+
+    it('preserves allowed attributes: href, target, rel, class', () => {
+      // DOMPurify allows href on <a> tags
+      const result = render('[link](https://example.com)')
+      expect(result).toContain('href=')
+    })
+  })
+
+  describe('edge cases', () => {
+    it('returns empty string for null', () => {
+      expect(render(null)).toBe('')
+    })
+
+    it('returns empty string for undefined', () => {
+      expect(render(undefined)).toBe('')
+    })
+
+    it('returns empty string for empty string', () => {
+      expect(render('')).toBe('')
+    })
+  })
+})
diff --git a/tests/server/api/auth-login.test.js b/tests/server/api/auth-login.test.js
new file mode 100644
index 0000000..813d7f8
--- /dev/null
+++ b/tests/server/api/auth-login.test.js
@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findOne: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
+}))
+
+vi.mock('resend', () => ({
+  Resend: class MockResend {
+    constructor() {
+      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
+    }
+  }
+}))
+
+import Member from '../../../server/models/member.js'
+import loginHandler from '../../../server/api/auth/login.post.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('auth login endpoint', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns generic success message for existing member', async () => {
+    Member.findOne.mockResolvedValue({
+      _id: 'member-123',
+      email: 'exists@example.com'
+    })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'exists@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('returns identical response for non-existing member (anti-enumeration)', async () => {
+    Member.findOne.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nonexistent@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('both existing and non-existing produce same shape and message', async () => {
+    // Existing member
+    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
+    const event1 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'a@b.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result1 = await loginHandler(event1)
+
+    vi.clearAllMocks()
+
+    // Non-existing member
+    Member.findOne.mockResolvedValue(null)
+    const event2 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nobody@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result2 = await loginHandler(event2)
+
+    // Response shape and message must be identical
+    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
+    expect(result1.success).toBe(result2.success)
+    expect(result1.message).toBe(result2.message)
+  })
+
+  it('throws 400 when email is missing from body', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: {},
+      headers: { host: 'localhost:3000' }
+    })
+
+    await expect(loginHandler(event)).rejects.toMatchObject({
+      statusCode: 400,
+      statusMessage: 'Email is required'
+    })
+  })
+})
diff --git a/tests/server/api/members-profile-patch.test.js b/tests/server/api/members-profile-patch.test.js
new file mode 100644
index 0000000..d18436c
--- /dev/null
+++ b/tests/server/api/members-profile-patch.test.js
@@ -0,0 +1,157 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/utils/auth.js', () => ({
+  requireAuth: vi.fn()
+}))
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findByIdAndUpdate: vi.fn() }
+}))
+
+import { requireAuth } from '../../../server/utils/auth.js'
+import Member from '../../../server/models/member.js'
+import profilePatchHandler from '../../../server/api/members/profile.patch.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('members profile PATCH endpoint', () => {
+  const mockMember = {
+    _id: 'member-123',
+    email: 'test@example.com',
+    name: 'Test User',
+    circle: 'community',
+    contributionTier: 5,
+    pronouns: 'they/them',
+    timeZone: 'America/New_York',
+    avatar: 'https://example.com/avatar.jpg',
+    studio: 'Test Studio',
+    bio: 'Updated bio',
+    location: 'NYC',
+    socialLinks: { twitter: '@test' },
+    offering: { text: 'help', tags: ['code'] },
+    lookingFor: { text: 'feedback', tags: ['design'] },
+    showInDirectory: true
+  }
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    requireAuth.mockResolvedValue({ _id: 'member-123' })
+    Member.findByIdAndUpdate.mockResolvedValue(mockMember)
+  })
+
+  describe('field allowlist - forbidden fields are rejected', () => {
+    it('does not pass helcimCustomerId to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', helcimCustomerId: 'hacked-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const updateCall = Member.findByIdAndUpdate.mock.calls[0]
+      const setData = updateCall[1].$set
+      expect(setData).not.toHaveProperty('helcimCustomerId')
+      expect(setData).toHaveProperty('bio', 'new bio')
+    })
+
+    it('does not pass role to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', role: 'admin' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('role')
+    })
+
+    it('does not pass status to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', status: 'active' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('status')
+    })
+
+    it('does not pass email to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', email: 'hacked@evil.com' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('email')
+    })
+
+    it('does not pass _id to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', _id: 'different-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('_id')
+    })
+  })
+
+  describe('field allowlist - allowed fields pass through', () => {
+    it('passes allowed profile fields through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          pronouns: 'they/them',
+          bio: 'Updated bio',
+          studio: 'Test Studio',
+          location: 'NYC',
+          timeZone: 'America/New_York',
+          avatar: 'https://example.com/avatar.jpg',
+          showInDirectory: true,
+          socialLinks: { twitter: '@test' }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).toHaveProperty('pronouns', 'they/them')
+      expect(setData).toHaveProperty('bio', 'Updated bio')
+      expect(setData).toHaveProperty('studio', 'Test Studio')
+      expect(setData).toHaveProperty('location', 'NYC')
+      expect(setData).toHaveProperty('timeZone', 'America/New_York')
+      expect(setData).toHaveProperty('avatar', 'https://example.com/avatar.jpg')
+      expect(setData).toHaveProperty('showInDirectory', true)
+      expect(setData).toHaveProperty('socialLinks')
+    })
+
+    it('passes offering and lookingFor nested objects through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          offering: { text: 'mentoring', tags: ['code', 'design'] },
+          lookingFor: { text: 'feedback', tags: ['art'] }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData.offering).toEqual({ text: 'mentoring', tags: ['code', 'design'] })
+      expect(setData.lookingFor).toEqual({ text: 'feedback', tags: ['art'] })
+    })
+  })
+})
diff --git a/tests/server/helpers/createMockEvent.js b/tests/server/helpers/createMockEvent.js
new file mode 100644
index 0000000..922f9cd
--- /dev/null
+++ b/tests/server/helpers/createMockEvent.js
@@ -0,0 +1,72 @@
+import { IncomingMessage, ServerResponse } from 'node:http'
+import { Socket } from 'node:net'
+import { createEvent } from 'h3'
+
+/**
+ * Create a real h3 event backed by real Node.js request/response objects.
+ *
+ * Options:
+ *   method        - HTTP method (default 'GET')
+ *   path          - Request path (default '/')
+ *   headers       - Object of request headers
+ *   cookies       - Object of cookie key/value pairs (serialized to cookie header)
+ *   body          - Request body (will be JSON-serialized)
+ *   remoteAddress - Client IP (default '127.0.0.1')
+ */
+export function createMockEvent(options = {}) {
+  const {
+    method = 'GET',
+    path = '/',
+    headers = {},
+    cookies = {},
+    body = undefined,
+    remoteAddress = '127.0.0.1'
+  } = options
+
+  // Build cookie header from cookies object
+  const cookiePairs = Object.entries(cookies).map(([k, v]) => `${k}=${v}`)
+  if (cookiePairs.length > 0) {
+    headers.cookie = [headers.cookie, cookiePairs.join('; ')].filter(Boolean).join('; ')
+  }
+
+  // Build a real IncomingMessage
+  const socket = new Socket()
+  // remoteAddress is a getter-only property on Socket, so use defineProperty
+  Object.defineProperty(socket, 'remoteAddress', {
+    value: remoteAddress,
+    writable: true,
+    configurable: true
+  })
+  const req = new IncomingMessage(socket)
+  req.method = method
+  req.url = path
+  req.headers = Object.fromEntries(
+    Object.entries(headers).map(([k, v]) => [k.toLowerCase(), v])
+  )
+
+  // If body is provided, push it into the request stream so readBody can consume it
+  if (body !== undefined) {
+    const bodyStr = typeof body === 'string' ? body : JSON.stringify(body)
+    req.headers['content-type'] = req.headers['content-type'] || 'application/json'
+    req.headers['content-length'] = Buffer.byteLength(bodyStr).toString()
+    req.push(bodyStr)
+    req.push(null)
+  }
+
+  const res = new ServerResponse(req)
+
+  // Capture response headers for test assertions
+  const setHeaders = {}
+  const originalSetHeader = res.setHeader.bind(res)
+  res.setHeader = (name, value) => {
+    setHeaders[name.toLowerCase()] = value
+    return originalSetHeader(name, value)
+  }
+
+  const event = createEvent(req, res)
+
+  // Attach captured headers for test access
+  event._testSetHeaders = setHeaders
+
+  return event
+}
diff --git a/tests/server/middleware/csrf.test.js b/tests/server/middleware/csrf.test.js
new file mode 100644
index 0000000..bedca8f
--- /dev/null
+++ b/tests/server/middleware/csrf.test.js
@@ -0,0 +1,127 @@
+import { describe, it, expect, beforeEach } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+// Import the handler — defineEventHandler is a global passthrough,
+// so the default export is the raw handler function.
+import csrfMiddleware from '../../../server/middleware/01.csrf.js'
+
+describe('CSRF middleware', () => {
+  describe('safe methods bypass', () => {
+    it.each(['GET', 'HEAD', 'OPTIONS'])('%s requests pass through', (method) => {
+      const event = createMockEvent({ method, path: '/api/test' })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('non-API paths bypass', () => {
+    it('POST to non-/api/ path passes through', () => {
+      const event = createMockEvent({ method: 'POST', path: '/some/page' })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('exempt routes bypass', () => {
+    it.each([
+      '/api/helcim/webhook',
+      '/api/slack/webhook',
+      '/api/auth/verify'
+    ])('POST to %s passes through', (path) => {
+      const event = createMockEvent({ method: 'POST', path })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('CSRF enforcement on state-changing API requests', () => {
+    it('throws 403 when POST to /api/* has no x-csrf-token header', () => {
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'abc123' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({
+          statusCode: 403,
+          statusMessage: 'CSRF token missing or invalid'
+        })
+      )
+    })
+
+    it('throws 403 when header and cookie tokens do not match', () => {
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'cookie-token' },
+        headers: { 'x-csrf-token': 'different-token' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({
+          statusCode: 403,
+          statusMessage: 'CSRF token missing or invalid'
+        })
+      )
+    })
+
+    it('passes when header and cookie tokens match', () => {
+      const token = 'matching-token-value'
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': token },
+        headers: { 'x-csrf-token': token }
+      })
+
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+
+    it('enforces CSRF on DELETE requests', () => {
+      const event = createMockEvent({
+        method: 'DELETE',
+        path: '/api/admin/events/123',
+        cookies: { 'csrf-token': 'abc' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({ statusCode: 403 })
+      )
+    })
+
+    it('enforces CSRF on PATCH requests', () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'abc' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({ statusCode: 403 })
+      )
+    })
+  })
+
+  describe('cookie provisioning', () => {
+    it('sets csrf-token cookie when none exists', () => {
+      const event = createMockEvent({ method: 'GET', path: '/api/test' })
+      csrfMiddleware(event)
+
+      // The middleware calls setCookie which sets a Set-Cookie header
+      const setCookieHeader = event._testSetHeaders['set-cookie']
+      expect(setCookieHeader).toBeDefined()
+      expect(setCookieHeader).toContain('csrf-token=')
+    })
+
+    it('does not set a new cookie when one already exists', () => {
+      const event = createMockEvent({
+        method: 'GET',
+        path: '/api/test',
+        cookies: { 'csrf-token': 'existing-token' }
+      })
+      csrfMiddleware(event)
+
+      const setCookieHeader = event._testSetHeaders['set-cookie']
+      // Should not have set a new cookie
+      expect(setCookieHeader).toBeUndefined()
+    })
+  })
+})
diff --git a/tests/server/middleware/rate-limit.test.js b/tests/server/middleware/rate-limit.test.js
new file mode 100644
index 0000000..2f81a62
--- /dev/null
+++ b/tests/server/middleware/rate-limit.test.js
@@ -0,0 +1,95 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('rate-limit middleware', () => {
+  // Fresh import per describe block to get fresh limiter instances
+  let rateLimitMiddleware
+
+  beforeEach(async () => {
+    vi.resetModules()
+    const mod = await import('../../../server/middleware/03.rate-limit.js')
+    rateLimitMiddleware = mod.default
+  })
+
+  describe('non-API paths', () => {
+    it('skips rate limiting for non-/api/ paths', async () => {
+      const event = createMockEvent({ path: '/about', remoteAddress: '10.0.0.1' })
+      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+    })
+  })
+
+  describe('auth endpoint limiting (5 per 5 min)', () => {
+    it('allows 5 requests then blocks the 6th', async () => {
+      const ip = '10.0.1.1'
+
+      // First 5 should succeed
+      for (let i = 0; i < 5; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/auth/login',
+          remoteAddress: ip
+        })
+        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+      }
+
+      // 6th should be rate limited
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/auth/login',
+        remoteAddress: ip
+      })
+      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
+        statusCode: 429
+      })
+
+      // Check Retry-After header was set
+      expect(event._testSetHeaders['retry-after']).toBeDefined()
+    })
+  })
+
+  describe('payment endpoint limiting (10 per min)', () => {
+    it('allows 10 requests then blocks the 11th', async () => {
+      const ip = '10.0.2.1'
+
+      for (let i = 0; i < 10; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/helcim/initialize-payment',
+          remoteAddress: ip
+        })
+        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+      }
+
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/helcim/initialize-payment',
+        remoteAddress: ip
+      })
+      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
+        statusCode: 429
+      })
+    })
+  })
+
+  describe('IP isolation', () => {
+    it('different IPs have separate rate limit counters', async () => {
+      // Exhaust limit for IP A
+      for (let i = 0; i < 5; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/auth/login',
+          remoteAddress: '10.0.3.1'
+        })
+        await rateLimitMiddleware(event)
+      }
+
+      // IP B should still be able to make requests
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/auth/login',
+        remoteAddress: '10.0.3.2'
+      })
+      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+    })
+  })
+})
diff --git a/tests/server/middleware/security-headers.test.js b/tests/server/middleware/security-headers.test.js
new file mode 100644
index 0000000..e6b50b1
--- /dev/null
+++ b/tests/server/middleware/security-headers.test.js
@@ -0,0 +1,106 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+import securityHeadersMiddleware from '../../../server/middleware/02.security-headers.js'
+
+describe('security-headers middleware', () => {
+  const originalNodeEnv = process.env.NODE_ENV
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv
+  })
+
+  describe('always-present headers', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'development'
+    })
+
+    it('sets X-Content-Type-Options to nosniff', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-content-type-options']).toBe('nosniff')
+    })
+
+    it('sets X-Frame-Options to DENY', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-frame-options']).toBe('DENY')
+    })
+
+    it('sets X-XSS-Protection to 0', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-xss-protection']).toBe('0')
+    })
+
+    it('sets Referrer-Policy', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['referrer-policy']).toBe('strict-origin-when-cross-origin')
+    })
+
+    it('sets Permissions-Policy', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['permissions-policy']).toBe('camera=(), microphone=(), geolocation=()')
+    })
+  })
+
+  describe('production-only headers', () => {
+    it('sets HSTS in production', () => {
+      process.env.NODE_ENV = 'production'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['strict-transport-security']).toBe('max-age=31536000; includeSubDomains')
+    })
+
+    it('does not set HSTS in development', () => {
+      process.env.NODE_ENV = 'development'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['strict-transport-security']).toBeUndefined()
+    })
+
+    it('sets CSP in production', () => {
+      process.env.NODE_ENV = 'production'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['content-security-policy']).toBeDefined()
+    })
+
+    it('does not set CSP in development', () => {
+      process.env.NODE_ENV = 'development'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['content-security-policy']).toBeUndefined()
+    })
+  })
+
+  describe('CSP directives', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production'
+    })
+
+    it('includes Helcim sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('myposjs.helcim.com')
+      expect(csp).toContain('api.helcim.com')
+      expect(csp).toContain('secure.helcim.com')
+    })
+
+    it('includes Cloudinary sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('res.cloudinary.com')
+    })
+
+    it('includes Plausible sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('plausible.io')
+    })
+  })
+})
diff --git a/tests/server/setup.js b/tests/server/setup.js
new file mode 100644
index 0000000..37575c2
--- /dev/null
+++ b/tests/server/setup.js
@@ -0,0 +1,34 @@
+import { vi } from 'vitest'
+import {
+  getCookie,
+  setCookie,
+  getMethod,
+  getHeader,
+  getHeaders,
+  setHeader,
+  getRequestURL,
+  createError,
+  defineEventHandler,
+  readBody,
+  getQuery,
+  getRouterParam
+} from 'h3'
+
+// Register real h3 functions as globals so server code that relies on
+// Nitro auto-imports can find them in the test environment.
+vi.stubGlobal('getCookie', getCookie)
+vi.stubGlobal('setCookie', setCookie)
+vi.stubGlobal('getMethod', getMethod)
+vi.stubGlobal('getHeader', getHeader)
+vi.stubGlobal('getHeaders', getHeaders)
+vi.stubGlobal('setHeader', setHeader)
+vi.stubGlobal('getRequestURL', getRequestURL)
+vi.stubGlobal('createError', createError)
+vi.stubGlobal('defineEventHandler', defineEventHandler)
+vi.stubGlobal('readBody', readBody)
+vi.stubGlobal('getQuery', getQuery)
+vi.stubGlobal('getRouterParam', getRouterParam)
+
+vi.stubGlobal('useRuntimeConfig', () => ({
+  jwtSecret: 'test-jwt-secret'
+}))
diff --git a/tests/server/utils/auth.test.js b/tests/server/utils/auth.test.js
new file mode 100644
index 0000000..815185f
--- /dev/null
+++ b/tests/server/utils/auth.test.js
@@ -0,0 +1,142 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findById: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { verify: vi.fn() }
+}))
+
+import Member from '../../../server/models/member.js'
+import jwt from 'jsonwebtoken'
+import { requireAuth, requireAdmin } from '../../../server/utils/auth.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('requireAuth', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('throws 401 when no auth-token cookie', async () => {
+    const event = createMockEvent({ path: '/api/test' })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Authentication required'
+    })
+  })
+
+  it('throws 401 when JWT is invalid', async () => {
+    jwt.verify.mockImplementation(() => { throw new Error('invalid token') })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'bad-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Invalid or expired token'
+    })
+  })
+
+  it('throws 401 when member not found in DB', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Member not found'
+    })
+  })
+
+  it('throws 403 when member is suspended', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'suspended', role: 'member' })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Account is suspended'
+    })
+  })
+
+  it('throws 403 when member is cancelled', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'cancelled', role: 'member' })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Account is cancelled'
+    })
+  })
+
+  it('returns member when token and status are valid', async () => {
+    const mockMember = { _id: 'member-123', status: 'active', role: 'member', email: 'test@example.com' }
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    const result = await requireAuth(event)
+    expect(result).toEqual(mockMember)
+  })
+})
+
+describe('requireAdmin', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('throws 403 when member is not admin', async () => {
+    const mockMember = { _id: 'member-123', status: 'active', role: 'member' }
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/admin/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAdmin(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Admin access required'
+    })
+  })
+
+  it('returns member when role is admin', async () => {
+    const mockMember = { _id: 'admin-123', status: 'active', role: 'admin', email: 'admin@example.com' }
+    jwt.verify.mockReturnValue({ memberId: 'admin-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/admin/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    const result = await requireAdmin(event)
+    expect(result).toEqual(mockMember)
+  })
+})
diff --git a/tests/server/utils/escapeHtml.test.js b/tests/server/utils/escapeHtml.test.js
new file mode 100644
index 0000000..359c37c
--- /dev/null
+++ b/tests/server/utils/escapeHtml.test.js
@@ -0,0 +1,60 @@
+import { describe, it, expect } from 'vitest'
+import { escapeHtml } from '../../../server/utils/escapeHtml.js'
+
+describe('escapeHtml', () => {
+  it('escapes ampersands', () => {
+    expect(escapeHtml('a&b')).toBe('a&amp;b')
+  })
+
+  it('escapes less-than signs', () => {
+    expect(escapeHtml('a<b')).toBe('a&lt;b')
+  })
+
+  it('escapes greater-than signs', () => {
+    expect(escapeHtml('a>b')).toBe('a&gt;b')
+  })
+
+  it('escapes double quotes', () => {
+    expect(escapeHtml('a"b')).toBe('a&quot;b')
+  })
+
+  it('escapes single quotes', () => {
+    expect(escapeHtml("a'b")).toBe('a&#39;b')
+  })
+
+  it('escapes all entities in a single string', () => {
+    expect(escapeHtml('<div class="x">&\'test\'')).toBe(
+      '&lt;div class=&quot;x&quot;&gt;&amp;&#39;test&#39;'
+    )
+  })
+
+  it('returns empty string for null', () => {
+    expect(escapeHtml(null)).toBe('')
+  })
+
+  it('returns empty string for undefined', () => {
+    expect(escapeHtml(undefined)).toBe('')
+  })
+
+  it('converts numbers to string', () => {
+    expect(escapeHtml(42)).toBe('42')
+  })
+
+  it('passes safe strings through unchanged', () => {
+    expect(escapeHtml('hello world')).toBe('hello world')
+  })
+
+  it('neutralizes script tag XSS payload', () => {
+    const payload = '<script>alert("xss")</script>'
+    const result = escapeHtml(payload)
+    expect(result).not.toContain('<script>')
+    expect(result).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;')
+  })
+
+  it('neutralizes img onerror XSS payload', () => {
+    const payload = '<img onerror="alert(1)" src=x>'
+    const result = escapeHtml(payload)
+    expect(result).not.toContain('<img')
+    expect(result).toBe('&lt;img onerror=&quot;alert(1)&quot; src=x&gt;')
+  })
+})
diff --git a/vitest.config.js b/vitest.config.js
new file mode 100644
index 0000000..5bb28eb
--- /dev/null
+++ b/vitest.config.js
@@ -0,0 +1,25 @@
+import { defineConfig } from 'vitest/config'
+
+export default defineConfig({
+  test: {
+    projects: [
+      {
+        test: {
+          name: 'server',
+          include: ['tests/server/**/*.test.js'],
+          environment: 'node',
+          globals: true,
+          setupFiles: ['./tests/server/setup.js']
+        }
+      },
+      {
+        test: {
+          name: 'client',
+          include: ['tests/client/**/*.test.js'],
+          environment: 'jsdom',
+          globals: true
+        }
+      }
+    ]
+  }
+})