feat(billing): add payment history API route

Add GET /api/helcim/payment-history returning the authenticated
member's normalized Helcim card transactions (newest first, capped
at 50). Resolves helcimCustomerId -> customerCode via getHelcimCustomer
before calling listHelcimCustomerTransactions. Returns
{ transactions: [] } when the member has no helcimCustomerId, and
{ transactions: [], error: 'unavailable' } (HTTP 200) on Helcim
failures so the UI can render fallback copy.

Covered by unit tests at tests/server/api/helcim-payment-history.test.js
(auth, missing customer id, happy path, both Helcim failure paths,
missing customerCode).

server/api/helcim/payment-history.get.js

@@ -0,0 +1,35 @@
+// Return the authenticated member's recent Helcim card transactions.
+// No status gate — historical reads are safe for any auth'd status.
+// On Helcim errors, returns { transactions: [], error: 'unavailable' } (HTTP 200)
+// so the client can render fallback copy without a crash.
+import { requireAuth } from '../../utils/auth.js'
+import { getHelcimCustomer, listHelcimCustomerTransactions } from '../../utils/helcim.js'
+
+export default defineEventHandler(async (event) => {
+  const member = await requireAuth(event)
+
+  if (!member.helcimCustomerId) {
+    return { transactions: [] }
+  }
+
+  try {
+    const customerData = await getHelcimCustomer(member.helcimCustomerId)
+    const customerCode = customerData?.customerCode
+
+    if (!customerCode) {
+      console.error('[payment-history] Helcim customer missing customerCode', {
+        helcimCustomerId: member.helcimCustomerId
+      })
+      return { transactions: [], error: 'unavailable' }
+    }
+
+    const transactions = await listHelcimCustomerTransactions(customerCode)
+    return { transactions }
+  } catch (error) {
+    console.error('[payment-history] Helcim lookup failed', {
+      helcimCustomerId: member.helcimCustomerId,
+      error: error?.message || error
+    })
+    return { transactions: [], error: 'unavailable' }
+  }
+})