Add Zod validation, fix mass assignment, remove test endpoints and dead code

- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
  utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
  passed to new Member(), only validated fields (email, name, circle,
  contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
  updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
  conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
  test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
  endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)

server/api/upload/image.post.js

@@ -39,6 +39,15 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Validate file size (10MB limit)
+    const maxSize = 10 * 1024 * 1024
+    if (fileData.data.length > maxSize) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'File too large. Maximum size is 10MB.'
+      })
+    }
+
     // Convert buffer to base64 for Cloudinary upload
     const base64File = `data:${fileData.type};base64,${fileData.data.toString('base64')}`