Add Zod validation, fix mass assignment, remove test endpoints and dead code

- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
  utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
  passed to new Member(), only validated fields (email, name, circle,
  contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
  updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
  conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
  test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
  endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)

server/api/updates/[id].delete.js

@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({

server/api/updates/[id].get.js

@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member

server/api/updates/[id].patch.js

@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({

server/api/updates/index.get.js

@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member

server/api/updates/index.post.js

@@ -1,6 +1,8 @@
 import jwt from "jsonwebtoken";
 import Update from "../../models/update.js";
 import { connectDB } from "../../utils/mongoose.js";
+import { validateBody } from "../../utils/validateBody.js";
+import { updateCreateSchema } from "../../utils/schemas.js";
 
 export default defineEventHandler(async (event) => {
   await connectDB();
@@ -16,7 +18,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
@@ -25,14 +27,7 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const body = await readBody(event);
-
-  if (!body.content || !body.content.trim()) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Content is required",
-    });
-  }
+  const body = await validateBody(event, updateCreateSchema);
 
   try {
     const update = await Update.create({

server/api/updates/my-updates.get.js

@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({

server/api/updates/user/[id].get.js

@@ -13,7 +13,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       currentMemberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member