Add Vitest security test suite and update security evaluation doc

Set up Vitest with server (node) and client (jsdom) test projects.
79 tests across 8 files verify all Phase 0-1 security controls:
escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF
enforcement, security headers, rate limiting, auth guards, profile
field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md
with remediation status, implementation summary, and automated test
coverage details.

tests/server/api/auth-login.test.js

@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findOne: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
+}))
+
+vi.mock('resend', () => ({
+  Resend: class MockResend {
+    constructor() {
+      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
+    }
+  }
+}))
+
+import Member from '../../../server/models/member.js'
+import loginHandler from '../../../server/api/auth/login.post.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('auth login endpoint', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns generic success message for existing member', async () => {
+    Member.findOne.mockResolvedValue({
+      _id: 'member-123',
+      email: 'exists@example.com'
+    })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'exists@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('returns identical response for non-existing member (anti-enumeration)', async () => {
+    Member.findOne.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nonexistent@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('both existing and non-existing produce same shape and message', async () => {
+    // Existing member
+    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
+    const event1 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'a@b.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result1 = await loginHandler(event1)
+
+    vi.clearAllMocks()
+
+    // Non-existing member
+    Member.findOne.mockResolvedValue(null)
+    const event2 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nobody@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result2 = await loginHandler(event2)
+
+    // Response shape and message must be identical
+    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
+    expect(result1.success).toBe(result2.success)
+    expect(result1.message).toBe(result2.message)
+  })
+
+  it('throws 400 when email is missing from body', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: {},
+      headers: { host: 'localhost:3000' }
+    })
+
+    await expect(loginHandler(event)).rejects.toMatchObject({
+      statusCode: 400,
+      statusMessage: 'Email is required'
+    })
+  })
+})