From d31b5b4dace3e17624d7bdb54afdeffdd2560d03 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sat, 4 Apr 2026 13:37:34 +0100
Subject: [PATCH] fix: use private helcimApiToken for all server-side Helcim
 API calls

---
 .serena/.gitignore                            |   2 +
 .serena/project.yml                           | 152 ++++++++++
 CLAUDE.md                                     |  10 +-
 app/assets/css/main.css                       |  12 +-
 app/components/EventTicketCard.vue            |   4 +-
 app/components/EventsMiniSidebar.vue          |  67 ++--
 app/components/SeriesPassPurchase.vue         |  56 ++--
 app/composables/useHelcimPay.js               |   6 +-
 app/pages/about.vue                           |  21 +-
 app/pages/admin/events/index.vue              | 119 +++++++-
 app/pages/admin/members.vue                   | 103 ++++++-
 app/pages/admin/series-management.vue         | 116 ++++---
 app/pages/events/[id].vue                     |   2 +-
 app/pages/index.vue                           |  75 +++--
 app/pages/join.vue                            |   8 +-
 app/pages/member/account.vue                  | 285 ++++++++++++------
 app/pages/member/dashboard.vue                |  35 ++-
 app/pages/member/my-updates.vue               |  12 +-
 app/pages/member/profile.vue                  | 167 ++++++----
 app/pages/series/[id].vue                     |  28 +-
 app/pages/updates/[id]/edit.vue               | 157 ++++++++++
 app/pages/updates/new.vue                     | 139 +++++++++
 app/pages/verify.vue                          |  80 +++++
 server/api/admin/members/[id].put.js          |  42 +++
 server/api/admin/members/invite.post.js       |  40 ++-
 server/api/auth/member.get.js                 |   4 +
 server/api/auth/refresh.post.js               |  14 +-
 server/api/auth/status.get.js                 |   3 +-
 server/api/dev/member-login.get.js            |  41 +++
 .../events/[id]/cancel-registration.post.js   |  29 +-
 server/api/events/[id]/register.post.js       |  18 +-
 server/api/helcim/create-plan.post.js         |   2 +-
 server/api/helcim/customer-code.get.js        |   2 +-
 server/api/helcim/customer.post.js            |   2 +-
 .../api/helcim/get-or-create-customer.post.js |   2 +-
 server/api/helcim/initialize-payment.post.js  |  12 +-
 server/api/helcim/plans.get.js                |   2 +-
 server/api/helcim/subscription.post.js        |   2 +-
 server/api/helcim/subscriptions.get.js        |   2 +-
 server/api/helcim/update-billing.post.js      |   2 +-
 server/api/helcim/verify-payment.post.js      |   2 +-
 .../api/members/cancel-subscription.post.js   |   3 +-
 server/api/members/directory.get.js           |  13 +-
 server/api/members/me/peer-support.patch.js   | 111 +++----
 server/api/members/my-calendar.get.js         | 134 ++++----
 server/api/members/my-events.get.js           |  52 +---
 server/api/members/profile.patch.js           |   2 +
 server/api/members/update-circle.post.js      |  34 +++
 .../api/members/update-contribution.post.js   |  72 ++---
 server/middleware/02.security-headers.js      |   4 +-
 server/middleware/03.rate-limit.js            |   2 +-
 server/models/member.js                       |  15 +-
 server/utils/auth.js                          |   8 +
 53 files changed, 1755 insertions(+), 572 deletions(-)
 create mode 100644 .serena/.gitignore
 create mode 100644 .serena/project.yml
 create mode 100644 app/pages/updates/[id]/edit.vue
 create mode 100644 app/pages/updates/new.vue
 create mode 100644 app/pages/verify.vue
 create mode 100644 server/api/admin/members/[id].put.js
 create mode 100644 server/api/dev/member-login.get.js
 create mode 100644 server/api/members/update-circle.post.js

diff --git a/.serena/.gitignore b/.serena/.gitignore
new file mode 100644
index 0000000..2e510af
--- /dev/null
+++ b/.serena/.gitignore
@@ -0,0 +1,2 @@
+/cache
+/project.local.yml
diff --git a/.serena/project.yml b/.serena/project.yml
new file mode 100644
index 0000000..9d24cb3
--- /dev/null
+++ b/.serena/project.yml
@@ -0,0 +1,152 @@
+# the name by which the project can be referenced within Serena
+project_name: "ghostguild-org"
+
+
+# list of languages for which language servers are started; choose from:
+#   al                  bash                clojure             cpp                 csharp
+#   csharp_omnisharp    dart                elixir              elm                 erlang
+#   fortran             fsharp              go                  groovy              haskell
+#   java                julia               kotlin              lua                 markdown
+#   matlab              nix                 pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         r
+#   rego                ruby                ruby_solargraph     rust                scala
+#   swift               terraform           toml                typescript          typescript_vts
+#   vue                 yaml                zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- vue
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# line ending convention to use when writing source files.
+# Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default)
+# This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings.
+line_ending:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# advanced configuration option allowing to configure language server-specific options.
+# Maps the language key to the options.
+# Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
+# No documentation on options means no options are available.
+ls_specific_settings: {}
+
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+#
+# Below is the complete list of tools for convenience.
+# To make sure you have the latest list of tools, and to view their descriptions, 
+# execute `uv run scripts/print_tool_overview.py`.
+#
+#  * `activate_project`: Activates a project by name.
+#  * `check_onboarding_performed`: Checks whether project onboarding was already performed.
+#  * `create_text_file`: Creates/overwrites a file in the project directory.
+#  * `delete_lines`: Deletes a range of lines within a file.
+#  * `delete_memory`: Deletes a memory from Serena's project-specific memory store.
+#  * `execute_shell_command`: Executes a shell command.
+#  * `find_referencing_code_snippets`: Finds code snippets in which the symbol at the given location is referenced.
+#  * `find_referencing_symbols`: Finds symbols that reference the symbol at the given location (optionally filtered by type).
+#  * `find_symbol`: Performs a global (or local) search for symbols with/containing a given name/substring (optionally filtered by type).
+#  * `get_current_config`: Prints the current configuration of the agent, including the active and available projects, tools, contexts, and modes.
+#  * `get_symbols_overview`: Gets an overview of the top-level symbols defined in a given file.
+#  * `initial_instructions`: Gets the initial instructions for the current project.
+#     Should only be used in settings where the system prompt cannot be set,
+#     e.g. in clients you have no control over, like Claude Desktop.
+#  * `insert_after_symbol`: Inserts content after the end of the definition of a given symbol.
+#  * `insert_at_line`: Inserts content at a given line in a file.
+#  * `insert_before_symbol`: Inserts content before the beginning of the definition of a given symbol.
+#  * `list_dir`: Lists files and directories in the given directory (optionally with recursion).
+#  * `list_memories`: Lists memories in Serena's project-specific memory store.
+#  * `onboarding`: Performs onboarding (identifying the project structure and essential tasks, e.g. for testing or building).
+#  * `prepare_for_new_conversation`: Provides instructions for preparing for a new conversation (in order to continue with the necessary context).
+#  * `read_file`: Reads a file within the project directory.
+#  * `read_memory`: Reads the memory with the given name from Serena's project-specific memory store.
+#  * `remove_project`: Removes a project from the Serena configuration.
+#  * `replace_lines`: Replaces a range of lines within a file with new content.
+#  * `replace_symbol_body`: Replaces the full definition of a symbol.
+#  * `restart_language_server`: Restarts the language server, may be necessary when edits not through Serena happen.
+#  * `search_for_pattern`: Performs a search for a pattern in the project.
+#  * `summarize_changes`: Provides instructions for summarizing the changes made to the codebase.
+#  * `switch_modes`: Activates modes by providing a list of their names
+#  * `think_about_collected_information`: Thinking tool for pondering the completeness of collected information.
+#  * `think_about_task_adherence`: Thinking tool for determining whether the agent is still on track with the current task.
+#  * `think_about_whether_you_are_done`: Thinking tool for determining whether the task is truly completed.
+#  * `write_memory`: Writes a named memory (for future reference) to Serena's project-specific memory store.
+excluded_tools: []
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+included_optional_tools: []
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+fixed_tools: []
+
+# list of mode names to that are always to be included in the set of active modes
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this setting overrides the global configuration.
+# Set this to [] to disable base modes for this project.
+# Set this to a list of mode names to always include the respective modes for this project.
+base_modes:
+
+# list of mode names that are to be activated by default.
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+default_modes:
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: ""
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []
+
+# list of regex patterns for memories to completely ignore.
+# Matching memories will not appear in list_memories or activate_project output
+# and cannot be accessed via read_memory or write_memory.
+# To access ignored memory files, use the read_file tool on the raw file path.
+# Extends the list from the global configuration, merging the two lists.
+# Example: ["_archive/.*", "_episodes/.*"]
+ignored_memory_patterns: []
diff --git a/CLAUDE.md b/CLAUDE.md
index ef32320..ff59a89 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -71,7 +71,10 @@ Copy `.env.example` to `.env`. Required: `MONGODB_URI`, `JWT_SECRET`, `RESEND_AP
 - Use `USwitch` (not `UToggle`) — this is the correct Nuxt UI 3+ component name
 - No fallback/placeholder data — always use real data
 - Follow Nuxt 4 file-based routing conventions for route naming
-- Always check Nuxt UI 3 latest documentation on the web when implementing UI components
+- Always check Nuxt UI 4 latest documentation on the web when implementing UI components
+- Auth API responses (`/api/auth/status`, `/api/auth/member`) must include `status` in the returned member object — `useMemberStatus` defaults to `PENDING_PAYMENT` if missing
+- Helcim payment testing requires ngrok: `npx nuxi dev --https` then `ngrok http https://localhost:3000` — Helcim blocks localhost origins
+- The `/api/helcim/initialize-payment` endpoint skips auth for `event_ticket` type payments (public users can buy tickets)
 
 ## Product Spec
 
@@ -90,8 +93,3 @@ The sections below describe planned and in-progress features for reference.
 ### Resources (Planned)
 - Learning paths by circle, templates and tools, case studies
 - Tag by circle relevance, download tracking, version control
-
-### Implementation Priority
-**Must have:** Payment processing, Slack automation, member dashboard, resource library, event listing/RSVP
-**Nice to have:** Member profiles, peer matching, Cal.com, member updates
-**Post-launch:** Etherpad integration, member-proposed events, advanced search, analytics dashboard
diff --git a/app/assets/css/main.css b/app/assets/css/main.css
index 06098dc..b4f6ac2 100644
--- a/app/assets/css/main.css
+++ b/app/assets/css/main.css
@@ -28,6 +28,7 @@
   --text-dim: #5a5040;
   --text-faint: #8a7e6a;
   --parch: #2a2015;
+  --parch-hover: #3a3025;
   --parch-text: #ede4d0;
   --parch-text-dim: #b8ae98;
   --c-community: #7a4838;
@@ -52,6 +53,7 @@
   --text-dim: #8a7e6a;
   --text-faint: #5a5040;
   --parch: #ede4d0;
+  --parch-hover: #d4c8a8;
   --parch-text: #2a2015;
   --parch-text-dim: #5a5040;
   --c-community: #a06850;
@@ -177,9 +179,17 @@ a:hover { text-decoration: underline; }
 
 /* ---- SECTION DIVIDERS ---- */
 .section-divider {
-  border: none;
+  display: block;
+  width: 100%;
+  max-width: none;
+  box-sizing: border-box;
+  border: 0;
   border-top: 1px dashed var(--border);
   margin: 20px 0 14px;
+  padding: 0;
+  flex: 0 0 auto;
+  align-self: stretch;
+  min-width: 0;
 }
 
 /* ---- MOBILE ---- */
diff --git a/app/components/EventTicketCard.vue b/app/components/EventTicketCard.vue
index 5cd2e05..a392620 100644
--- a/app/components/EventTicketCard.vue
+++ b/app/components/EventTicketCard.vue
@@ -45,7 +45,7 @@
         <!-- Early Bird Badge -->
         <span
           v-if="ticketInfo.isEarlyBird"
-          class="inline-flex items-center px-2 py-1 rounded-full text-xs font-medium bg-amber-100 text-amber-700 dark:bg-amber-900/30 dark:text-amber-400"
+          class="inline-flex items-center px-2 py-1 rounded-full text-xs font-medium bg-candlelight-900/20 text-candlelight-600 dark:bg-candlelight-900/35 dark:text-candlelight-400"
         >
           Early Bird
         </span>
@@ -64,7 +64,7 @@
       <!-- Early Bird Countdown -->
       <div
         v-if="ticketInfo.isEarlyBird && ticketInfo.earlyBirdDeadline"
-        class="mt-2 text-xs text-amber-400"
+        class="mt-2 text-xs text-candlelight-500 dark:text-candlelight-400"
       >
         <Icon name="heroicons:clock" class="w-4 h-4 inline mr-1" />
         Early bird ends {{ formatDeadline(ticketInfo.earlyBirdDeadline) }}
diff --git a/app/components/EventsMiniSidebar.vue b/app/components/EventsMiniSidebar.vue
index cd99c95..84486de 100644
--- a/app/components/EventsMiniSidebar.vue
+++ b/app/components/EventsMiniSidebar.vue
@@ -1,17 +1,29 @@
 <template>
   <aside class="events-mini">
-    <div class="em-label">Upcoming</div>
-    <div v-for="event in events" :key="event._id" class="em-item">
-      <span class="em-date">{{ formatDate(event.date) }}</span>
-      <NuxtLink :to="`/events/${event._id}`" class="em-title">{{ event.title }}</NuxtLink>
-      <span
-        v-if="event.circle"
-        class="em-circle"
-        :style="{ color: `var(--c-${event.circle})` }"
-      >{{ event.circle }}</span>
+    <div class="em-inset">
+      <div class="em-label">Upcoming</div>
+    </div>
+    <div v-if="events?.length" class="em-rows">
+      <div v-for="event in events" :key="event._id" class="em-item">
+        <div class="em-inset em-item-body">
+          <span class="em-date">{{ formatDate(event.date) }}</span>
+          <NuxtLink :to="`/events/${event._id}`" class="em-title">{{ event.title }}</NuxtLink>
+          <span
+            v-if="event.circle"
+            class="em-circle"
+            :style="{ color: `var(--c-${event.circle})` }"
+          >{{ event.circle }}</span>
+        </div>
+      </div>
+    </div>
+    <div v-else class="em-rows">
+      <div class="em-item em-item--plain">
+        <div class="em-inset em-empty">No upcoming events</div>
+      </div>
+    </div>
+    <div class="em-inset em-link-wrap">
+      <NuxtLink to="/events" class="em-link">All events &rarr;</NuxtLink>
     </div>
-    <div v-if="!events?.length" class="em-empty">No upcoming events</div>
-    <NuxtLink to="/events" class="em-link">All events &rarr;</NuxtLink>
   </aside>
 </template>
 
@@ -29,9 +41,17 @@ const formatDate = (dateStr) => {
 
 <style scoped>
 .events-mini {
-  padding: 24px 20px;
-  border-left: 1px dashed var(--border);
+  box-sizing: border-box;
+  align-self: stretch;
+  height: 100%;
   min-height: 100%;
+  padding: 24px 0;
+  border-left: 1px dashed var(--border);
+}
+
+.em-inset {
+  padding-left: 20px;
+  padding-right: 20px;
 }
 
 .em-label {
@@ -43,14 +63,23 @@ const formatDate = (dateStr) => {
 }
 
 .em-item {
-  padding: 8px 0;
   border-bottom: 1px dashed var(--border);
 }
 
-.em-item:last-child {
+.em-rows .em-item:last-child {
   border-bottom: none;
 }
 
+.em-item-body {
+  padding-top: 8px;
+  padding-bottom: 8px;
+}
+
+.em-item--plain .em-empty {
+  padding-top: 8px;
+  padding-bottom: 8px;
+}
+
 .em-date {
   font-size: 11px;
   color: var(--text-faint);
@@ -77,9 +106,12 @@ const formatDate = (dateStr) => {
   display: inline-block;
 }
 
-.em-link {
-  display: block;
+.em-link-wrap {
   margin-top: 12px;
+}
+
+.em-link {
+  display: inline-block;
   font-size: 11px;
   color: var(--candle);
 }
@@ -87,7 +119,6 @@ const formatDate = (dateStr) => {
 .em-empty {
   font-size: 11px;
   color: var(--text-faint);
-  padding: 8px 0;
 }
 
 @media (max-width: 1024px) {
diff --git a/app/components/SeriesPassPurchase.vue b/app/components/SeriesPassPurchase.vue
index 2dc61d9..eda86f7 100644
--- a/app/components/SeriesPassPurchase.vue
+++ b/app/components/SeriesPassPurchase.vue
@@ -21,12 +21,22 @@
 
     <!-- Content -->
     <div v-else-if="passInfo">
-      <!-- Series Pass Card -->
+      <!-- Already Registered State -->
+      <div v-if="passInfo.alreadyRegistered" class="dashed-box p-6">
+        <div class="section-label mb-2">Series Pass</div>
+        <p class="text-[--text]">You're registered for this series.</p>
+        <p v-if="passInfo.registration?.eventsIncluded !== undefined" class="text-[--text-dim] text-sm mt-1">
+          Registered for {{ passInfo.registration.eventsIncluded }} event{{ passInfo.registration.eventsIncluded !== 1 ? 's' : '' }} in this series.
+        </p>
+      </div>
+
+      <!-- Series Pass Card (only when ticket data is available) -->
       <EventSeriesTicketCard
+        v-else-if="passInfo.ticket"
         :ticket="passInfo.ticket"
         :availability="passInfo.availability"
         :available="passInfo.available"
-        :already-registered="passInfo.alreadyRegistered"
+        :already-registered="false"
         :is-member="passInfo.memberInfo?.isMember"
         :total-events="seriesInfo.totalEvents"
         :events="seriesEvents"
@@ -172,7 +182,7 @@ const props = defineProps({
 const emit = defineEmits(["purchase-success", "purchase-error"]);
 
 const toast = useToast();
-const { initializePayment, verifyPayment } = useHelcimPay();
+const { initializeTicketPayment, verifyPayment } = useHelcimPay();
 
 // State
 const loading = ref(true);
@@ -188,19 +198,29 @@ const form = ref({
 
 const isLoggedIn = computed(() => !!props.userEmail);
 
-// Fetch series pass info on mount
+// Fetch series pass info on mount, then re-fetch if userEmail becomes available (auth loads after mount)
 onMounted(async () => {
   await fetchPassInfo();
 });
 
+watch(() => props.userEmail, async (newEmail, oldEmail) => {
+  if (newEmail && !oldEmail) {
+    form.value.email = newEmail;
+    form.value.name = props.userName || form.value.name;
+    await fetchPassInfo();
+  }
+});
+
 const fetchPassInfo = async () => {
   loading.value = true;
   error.value = null;
 
   try {
-    const response = await $fetch(
-      `/api/series/${props.seriesId}/tickets/available`
-    );
+    const email = form.value.email || props.userEmail;
+    const url = email
+      ? `/api/series/${props.seriesId}/tickets/available?email=${encodeURIComponent(email)}`
+      : `/api/series/${props.seriesId}/tickets/available`;
+    const response = await $fetch(url);
 
     passInfo.value = response;
 
@@ -244,15 +264,11 @@ const handleSubmit = async () => {
       paymentProcessing.value = true;
 
       // Initialize Helcim payment for series pass
-      await initializePayment(
+      await initializeTicketPayment(
+        props.seriesId,
         form.value.email,
         passInfo.value.ticket.price,
-        passInfo.value.ticket.currency || "CAD",
-        {
-          type: "series_pass",
-          seriesId: props.seriesId,
-          seriesTitle: props.seriesInfo.title,
-        }
+        props.seriesInfo.title,
       );
 
       // Show Helcim modal and complete payment
@@ -267,15 +283,17 @@ const handleSubmit = async () => {
     }
 
     // Complete series pass purchase
+    const purchaseBody = {
+      name: form.value.name,
+      email: form.value.email,
+    };
+    if (transactionId) purchaseBody.paymentId = transactionId;
+
     const purchaseResponse = await $fetch(
       `/api/series/${props.seriesId}/tickets/purchase`,
       {
         method: "POST",
-        body: {
-          name: form.value.name,
-          email: form.value.email,
-          paymentId: transactionId,
-        },
+        body: purchaseBody,
       }
     );
 
diff --git a/app/composables/useHelcimPay.js b/app/composables/useHelcimPay.js
index 9ca1330..3703295 100644
--- a/app/composables/useHelcimPay.js
+++ b/app/composables/useHelcimPay.js
@@ -239,12 +239,12 @@ export const useHelcimPay = () => {
         // Clean up observer after a timeout
         setTimeout(() => observer.disconnect(), 5000);
 
-        // Add timeout to clean up if no response
+        // Add timeout to clean up if no response (10 minutes for manual card entry)
         setTimeout(() => {
-          console.log("60 seconds passed, cleaning up event listener...");
+          console.log("Payment timeout reached, cleaning up event listener...");
           window.removeEventListener("message", handleHelcimPayEvent);
           reject(new Error("Payment timeout - no response received"));
-        }, 60000);
+        }, 600000);
       } else {
         reject(new Error("appendHelcimPayIframe function not available"));
       }
diff --git a/app/pages/about.vue b/app/pages/about.vue
index fa48bf9..4adbce6 100644
--- a/app/pages/about.vue
+++ b/app/pages/about.vue
@@ -1,5 +1,5 @@
 <template>
-  <div>
+  <div class="about-page">
     <!-- ABOUT HERO (side by side) -->
     <div class="about-hero">
       <div class="about-hero-left">
@@ -82,16 +82,26 @@ const { data: upcomingEvents } = await useFetch('/api/events', {
 </script>
 
 <style scoped>
+/* Flex chain from layout .main-body: hero + grid grow so sidebar column matches main height */
+.about-page {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
 /* ---- ABOUT HERO ---- */
 .about-hero {
   display: grid;
   grid-template-columns: 1fr 1fr;
   gap: 0;
+  align-items: stretch;
   border-bottom: 1px dashed var(--border);
 }
 .about-hero-left {
   padding: 32px 32px 28px;
   border-right: 1px dashed var(--border);
+  align-self: stretch;
 }
 .about-hero-left h1 {
   font-family: 'Brygada 1918', serif;
@@ -109,6 +119,7 @@ const { data: upcomingEvents } = await useFetch('/api/events', {
 }
 .about-hero-right {
   padding: 32px;
+  align-self: stretch;
 }
 .about-hero-right p {
   color: var(--text-dim);
@@ -119,12 +130,20 @@ const { data: upcomingEvents } = await useFetch('/api/events', {
 
 /* ---- CONTENT AREA ---- */
 .content-area {
+  flex: 1;
   display: grid;
   grid-template-columns: 1fr 200px;
+  align-items: stretch;
+  min-height: 0;
 }
 .content-main {
   padding: 0;
   min-width: 0;
+  align-self: stretch;
+  height: 100%;
+  min-height: 100%;
+  display: flex;
+  flex-direction: column;
 }
 
 /* ---- SECTIONS ---- */
diff --git a/app/pages/admin/events/index.vue b/app/pages/admin/events/index.vue
index 7c6c015..4a6e49e 100644
--- a/app/pages/admin/events/index.vue
+++ b/app/pages/admin/events/index.vue
@@ -162,6 +162,25 @@
         No events found matching your criteria
       </div>
     </div>
+    <!-- Confirm Delete Modal -->
+    <div v-if="confirmDelete.show" class="modal-overlay" @click.self="confirmDelete.show = false">
+      <div class="modal">
+        <div class="modal-header">
+          <h2>Delete Event</h2>
+          <button class="modal-close" @click="confirmDelete.show = false">&times;</button>
+        </div>
+        <div class="modal-body">
+          <p>Are you sure you want to delete <strong>"{{ confirmDelete.title }}"</strong>?</p>
+          <p class="help-text" style="margin-top: 8px;">This action cannot be undone.</p>
+        </div>
+        <div class="modal-actions">
+          <button class="btn" @click="confirmDelete.show = false">Cancel</button>
+          <button class="btn btn-danger" :disabled="confirmDelete.deleting" @click="executeDelete">
+            {{ confirmDelete.deleting ? 'Deleting...' : 'Delete' }}
+          </button>
+        </div>
+      </div>
+    </div>
   </div>
 </template>
 
@@ -255,16 +274,25 @@ const duplicateEvent = (event) => {
   navigateTo('/admin/events/create?duplicate=true')
 }
 
-const deleteEvent = async (event) => {
-  if (confirm(`Are you sure you want to delete "${event.title}"?`)) {
-    try {
-      await $fetch(`/api/admin/events/${String(event._id)}`, {
-        method: 'DELETE',
-      })
-      await refresh()
-    } catch (error) {
-      console.error('Failed to delete event:', error)
-    }
+const confirmDelete = reactive({ show: false, id: null, title: '', deleting: false })
+
+const deleteEvent = (event) => {
+  confirmDelete.id = String(event._id)
+  confirmDelete.title = event.title
+  confirmDelete.deleting = false
+  confirmDelete.show = true
+}
+
+const executeDelete = async () => {
+  confirmDelete.deleting = true
+  try {
+    await $fetch(`/api/admin/events/${confirmDelete.id}`, { method: 'DELETE' })
+    confirmDelete.show = false
+    await refresh()
+  } catch (error) {
+    console.error('Failed to delete event:', error)
+  } finally {
+    confirmDelete.deleting = false
   }
 }
 
@@ -588,6 +616,77 @@ tbody td {
   to { transform: rotate(360deg); }
 }
 
+/* ---- MODALS ---- */
+.modal-overlay {
+  position: fixed;
+  inset: 0;
+  background: rgba(0, 0, 0, 0.4);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 50;
+}
+
+.modal {
+  background: var(--bg);
+  border: 1px dashed var(--border);
+  max-width: 440px;
+  width: 100%;
+  margin: 16px;
+}
+
+.modal-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 20px 24px 16px;
+  border-bottom: 1px dashed var(--border);
+}
+
+.modal-header h2 {
+  font-family: 'Brygada 1918', serif;
+  font-size: 18px;
+  font-weight: 500;
+  color: var(--text-bright);
+}
+
+.modal-close {
+  background: none;
+  border: none;
+  color: var(--text-faint);
+  font-size: 20px;
+  cursor: pointer;
+  padding: 0 4px;
+  line-height: 1;
+}
+
+.modal-close:hover {
+  color: var(--text);
+}
+
+.modal-body {
+  padding: 20px 24px;
+}
+
+.modal-body p {
+  font-size: 13px;
+  color: var(--text);
+  line-height: 1.5;
+}
+
+.modal-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 8px;
+  padding: 16px 24px;
+  border-top: 1px dashed var(--border);
+}
+
+.help-text {
+  font-size: 11px;
+  color: var(--text-dim);
+}
+
 /* ---- RESPONSIVE ---- */
 @media (max-width: 768px) {
   .page-header {
diff --git a/app/pages/admin/members.vue b/app/pages/admin/members.vue
index 1d80c64..6421d1b 100644
--- a/app/pages/admin/members.vue
+++ b/app/pages/admin/members.vue
@@ -248,6 +248,60 @@
       </div>
     </div>
 
+    <!-- Edit Member Modal -->
+    <div v-if="showEditModal" class="modal-overlay" @click.self="showEditModal = false">
+      <div class="modal">
+        <div class="modal-header">
+          <h2>Edit Member</h2>
+          <button class="modal-close" @click="showEditModal = false">&times;</button>
+        </div>
+
+        <form @submit.prevent="submitEditMember" class="modal-body">
+          <div class="field">
+            <label>Name</label>
+            <input v-model="editingMember.name" required />
+          </div>
+          <div class="field">
+            <label>Email</label>
+            <input v-model="editingMember.email" type="email" required />
+          </div>
+          <div class="field">
+            <label>Circle</label>
+            <select v-model="editingMember.circle">
+              <option value="community">Community</option>
+              <option value="founder">Founder</option>
+              <option value="practitioner">Practitioner</option>
+            </select>
+          </div>
+          <div class="field">
+            <label>Contribution Tier</label>
+            <select v-model="editingMember.contributionTier">
+              <option value="0">$0/month</option>
+              <option value="5">$5/month</option>
+              <option value="15">$15/month</option>
+              <option value="30">$30/month</option>
+              <option value="50">$50/month</option>
+            </select>
+          </div>
+          <div class="field">
+            <label>Status</label>
+            <select v-model="editingMember.status">
+              <option value="pending_payment">Pending Payment</option>
+              <option value="active">Active</option>
+              <option value="suspended">Suspended</option>
+              <option value="cancelled">Cancelled</option>
+            </select>
+          </div>
+          <div class="modal-actions">
+            <button type="button" class="btn" @click="showEditModal = false">Cancel</button>
+            <button type="submit" class="btn btn-primary" :disabled="saving">
+              {{ saving ? 'Saving...' : 'Save Changes' }}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+
     <!-- Send Invites Modal -->
     <div v-if="showInviteModal" class="modal-overlay" @click.self="showInviteModal = false">
       <div class="modal modal-wide">
@@ -629,8 +683,55 @@ const sendSlackInvite = (member) => {
   console.log('Send Slack invite to:', member.email)
 }
 
+// --- Edit Member ---
+const showEditModal = ref(false)
+const saving = ref(false)
+const editingMemberId = ref(null)
+const editingMember = reactive({
+  name: '',
+  email: '',
+  circle: 'community',
+  contributionTier: '0',
+  status: 'pending_payment',
+})
+
 const editMember = (member) => {
-  console.log('Edit member:', member._id)
+  editingMemberId.value = member._id
+  Object.assign(editingMember, {
+    name: member.name,
+    email: member.email,
+    circle: member.circle,
+    contributionTier: String(member.contributionTier),
+    status: member.status || 'pending_payment',
+  })
+  showEditModal.value = true
+}
+
+const submitEditMember = async () => {
+  saving.value = true
+  try {
+    await $fetch(`/api/admin/members/${editingMemberId.value}`, {
+      method: 'PUT',
+      body: {
+        name: editingMember.name,
+        email: editingMember.email,
+        circle: editingMember.circle,
+        contributionTier: editingMember.contributionTier,
+        status: editingMember.status,
+      },
+    })
+    showEditModal.value = false
+    await refresh()
+    toast.add({ title: 'Member updated', color: 'green' })
+  } catch (err) {
+    toast.add({
+      title: 'Failed to update member',
+      description: err.data?.statusMessage || err.message,
+      color: 'red',
+    })
+  } finally {
+    saving.value = false
+  }
 }
 </script>
 
diff --git a/app/pages/admin/series-management.vue b/app/pages/admin/series-management.vue
index 285a254..98c482c 100644
--- a/app/pages/admin/series-management.vue
+++ b/app/pages/admin/series-management.vue
@@ -361,6 +361,25 @@
         </div>
       </div>
     </div>
+    <!-- Confirm Action Modal -->
+    <div v-if="confirmAction.show" class="modal-overlay" @click.self="confirmAction.show = false">
+      <div class="modal">
+        <div class="modal-header">
+          <h2>{{ confirmAction.heading }}</h2>
+          <button class="modal-close" @click="confirmAction.show = false">&times;</button>
+        </div>
+        <div class="modal-body">
+          <p>{{ confirmAction.message }}</p>
+          <p class="help-text" style="margin-top: 8px;">This action cannot be undone.</p>
+        </div>
+        <div class="modal-actions">
+          <button class="btn" @click="confirmAction.show = false">Cancel</button>
+          <button class="btn btn-danger" :disabled="confirmAction.running" @click="confirmAction.execute">
+            {{ confirmAction.running ? 'Working...' : confirmAction.label }}
+          </button>
+        </div>
+      </div>
+    </div>
   </div>
 </template>
 
@@ -496,29 +515,47 @@ const editEvent = (event) => {
   navigateTo(`/admin/events/create?edit=${event.id}`)
 }
 
-const removeFromSeries = async (event) => {
-  if (!confirm(`Remove "${event.title}" from its series?`)) return
+const confirmAction = reactive({
+  show: false,
+  heading: '',
+  message: '',
+  label: '',
+  running: false,
+  execute: () => {},
+})
 
-  try {
-    await $fetch(`/api/admin/events/${event.id}`, {
-      method: 'PUT',
-      body: {
-        ...event,
-        series: {
-          isSeriesEvent: false,
-          id: '',
-          title: '',
-          description: '',
-          type: 'workshop_series',
-          position: 1,
-          totalEvents: null,
+const removeFromSeries = (event) => {
+  confirmAction.heading = 'Remove from Series'
+  confirmAction.message = `Remove "${event.title}" from its series?`
+  confirmAction.label = 'Remove'
+  confirmAction.running = false
+  confirmAction.execute = async () => {
+    confirmAction.running = true
+    try {
+      await $fetch(`/api/admin/events/${event.id}`, {
+        method: 'PUT',
+        body: {
+          ...event,
+          series: {
+            isSeriesEvent: false,
+            id: '',
+            title: '',
+            description: '',
+            type: 'workshop_series',
+            position: 1,
+            totalEvents: null,
+          },
         },
-      },
-    })
-    await refresh()
-  } catch (error) {
-    console.error('Failed to remove event from series:', error)
+      })
+      confirmAction.show = false
+      await refresh()
+    } catch (error) {
+      console.error('Failed to remove event from series:', error)
+    } finally {
+      confirmAction.running = false
+    }
   }
+  confirmAction.show = true
 }
 
 const addEventToSeries = (series) => {
@@ -572,23 +609,32 @@ const saveSeriesEdit = async () => {
   }
 }
 
-const deleteSeries = async (series) => {
-  if (!confirm(`Delete the entire "${series.title}" series? This will remove the series relationship from all ${series.eventCount} events.`)) return
-
-  try {
-    for (const event of series.events) {
-      await $fetch(`/api/admin/events/${event.id}`, {
-        method: 'PUT',
-        body: {
-          ...event,
-          series: { isSeriesEvent: false, id: '', title: '', description: '', type: 'workshop_series', position: 1, totalEvents: null },
-        },
-      })
+const deleteSeries = (series) => {
+  confirmAction.heading = 'Delete Series'
+  confirmAction.message = `Delete the entire "${series.title}" series? This will remove the series relationship from all ${series.eventCount} events.`
+  confirmAction.label = 'Delete'
+  confirmAction.running = false
+  confirmAction.execute = async () => {
+    confirmAction.running = true
+    try {
+      for (const event of series.events) {
+        await $fetch(`/api/admin/events/${event.id}`, {
+          method: 'PUT',
+          body: {
+            ...event,
+            series: { isSeriesEvent: false, id: '', title: '', description: '', type: 'workshop_series', position: 1, totalEvents: null },
+          },
+        })
+      }
+      confirmAction.show = false
+      await refresh()
+    } catch (error) {
+      console.error('Failed to delete series:', error)
+    } finally {
+      confirmAction.running = false
     }
-    await refresh()
-  } catch (error) {
-    console.error('Failed to delete series:', error)
   }
+  confirmAction.show = true
 }
 
 const manageSeriesTickets = (series) => {
diff --git a/app/pages/events/[id].vue b/app/pages/events/[id].vue
index b490639..ffc2400 100644
--- a/app/pages/events/[id].vue
+++ b/app/pages/events/[id].vue
@@ -127,7 +127,7 @@
           <div v-else-if="memberData && !canRSVP" class="dashed-box">
             <div class="box-title">Registration</div>
             <p class="reg-status" style="color: var(--ember);">{{ statusConfig.label }}</p>
-            <p class="reg-price">{{ getRSVPMessage }}</p>
+            <p class="reg-price">{{ getRSVPMessage() }}</p>
             <NuxtLink v-if="isPendingPayment" to="#" @click.prevent="completePayment">
               <button class="btn btn-primary" :disabled="isProcessingPayment">
                 {{ isProcessingPayment ? 'Processing...' : 'Complete Payment' }}
diff --git a/app/pages/index.vue b/app/pages/index.vue
index 0899f1b..e0855cc 100644
--- a/app/pages/index.vue
+++ b/app/pages/index.vue
@@ -24,35 +24,51 @@
       </div>
     </div>
 
-    <!-- UPCOMING EVENTS + WIKI -->
+    <!-- UPCOMING EVENTS + WIKI (full-bleed row dividers: border on full-width row, padding on inset only) -->
     <div class="content-row two-col">
       <div class="content-block">
-        <div class="label">Upcoming Events</div>
+        <div class="block-inset">
+          <div class="label">Upcoming Events</div>
+        </div>
         <div v-if="events?.length" class="event-list">
           <div v-for="event in events" :key="event._id" class="event-item">
-            <span class="event-date">{{ formatDate(event.date) }}</span>
-            <span class="event-title">
-              <NuxtLink :to="`/events/${event._id}`">{{ event.title }}</NuxtLink>
-            </span>
-            <CircleBadge v-if="event.circle" :circle="event.circle" />
+            <div class="block-inset event-item-inner">
+              <span class="event-date">{{ formatDate(event.date) }}</span>
+              <span class="event-title">
+                <NuxtLink :to="`/events/${event._id}`">{{ event.title }}</NuxtLink>
+              </span>
+              <CircleBadge v-if="event.circle" :circle="event.circle" />
+            </div>
           </div>
         </div>
-        <p v-else class="empty">No upcoming events</p>
+        <div v-else class="block-inset">
+          <p class="empty">No upcoming events</p>
+        </div>
       </div>
       <div class="content-block">
-        <div class="label">Recently in the Wiki</div>
+        <div class="block-inset">
+          <div class="label">Recently in the Wiki</div>
+        </div>
         <div class="wiki-list">
           <div class="wiki-item">
-            <a href="/wiki">Revenue sharing models</a>
+            <div class="block-inset wiki-item-inner">
+              <a href="/wiki">Revenue sharing models</a>
+            </div>
           </div>
           <div class="wiki-item">
-            <a href="/wiki">What is a cooperative studio?</a>
+            <div class="block-inset wiki-item-inner">
+              <a href="/wiki">What is a cooperative studio?</a>
+            </div>
           </div>
           <div class="wiki-item">
-            <a href="/wiki">Governance structures</a>
+            <div class="block-inset wiki-item-inner">
+              <a href="/wiki">Governance structures</a>
+            </div>
           </div>
           <div class="wiki-item">
-            <a href="/wiki">Legal incorporation guide</a>
+            <div class="block-inset wiki-item-inner">
+              <a href="/wiki">Legal incorporation guide</a>
+            </div>
           </div>
         </div>
       </div>
@@ -164,6 +180,7 @@ const formatDate = (dateStr) => {
 .content-row {
   display: grid;
   grid-template-columns: repeat(3, minmax(0, 1fr));
+  align-items: stretch;
   border-bottom: 1px dashed var(--border);
 }
 .content-row.two-col {
@@ -174,6 +191,14 @@ const formatDate = (dateStr) => {
   border-right: 1px dashed var(--border);
   min-width: 0;
   overflow-wrap: break-word;
+  align-self: stretch;
+}
+.content-row.two-col .content-block {
+  padding: 24px 0;
+}
+.content-row.two-col .block-inset {
+  padding-left: 28px;
+  padding-right: 28px;
 }
 .content-block:last-child { border-right: none; }
 .content-block h2 {
@@ -218,16 +243,23 @@ details p {
 
 /* ---- EVENT LIST ---- */
 .event-item {
+  border-bottom: 1px dashed var(--border);
+}
+.event-list .event-item:last-child {
+  border-bottom: none;
+}
+.event-item-inner {
   display: grid;
   grid-template-columns: 80px 1fr auto;
   gap: 16px;
   align-items: baseline;
-  padding: 10px 0;
-  border-bottom: 1px dashed var(--border);
+  padding-top: 10px;
+  padding-bottom: 10px;
   transition: padding-left 0.2s;
 }
-.event-item:last-child { border-bottom: none; }
-.event-item:hover { padding-left: 4px; }
+.content-row.two-col .event-item:hover .event-item-inner {
+  padding-left: calc(28px + 4px);
+}
 .event-date { color: var(--text-faint); font-size: 12px; }
 .event-title { color: var(--text); font-size: 13px; }
 .event-title a { color: var(--text); text-decoration: none; }
@@ -235,11 +267,16 @@ details p {
 
 /* ---- WIKI LIST ---- */
 .wiki-item {
-  padding: 8px 0;
   border-bottom: 1px dashed var(--border);
   font-size: 13px;
 }
-.wiki-item:last-child { border-bottom: none; }
+.wiki-list .wiki-item:last-child {
+  border-bottom: none;
+}
+.wiki-item-inner {
+  padding-top: 8px;
+  padding-bottom: 8px;
+}
 .wiki-item a { color: var(--text); text-decoration: none; }
 .wiki-item a:hover { color: var(--candle); }
 
diff --git a/app/pages/join.vue b/app/pages/join.vue
index e90c1ae..7dfab40 100644
--- a/app/pages/join.vue
+++ b/app/pages/join.vue
@@ -583,7 +583,7 @@ onUnmounted(() => {
 }
 :deep(.parchment-inset ul li) {
   font-size: 13px;
-  color: #c8bea8;
+  color: var(--parch-text-dim);
   line-height: 1.75;
   padding: 4px 0;
   padding-left: 16px;
@@ -609,6 +609,7 @@ onUnmounted(() => {
 .content-row {
   display: grid;
   grid-template-columns: repeat(3, minmax(0, 1fr));
+  align-items: stretch;
   border-bottom: 1px dashed var(--border);
 }
 .content-block {
@@ -616,6 +617,7 @@ onUnmounted(() => {
   border-right: 1px dashed var(--border);
   min-width: 0;
   overflow-wrap: break-word;
+  align-self: stretch;
 }
 .content-block:last-child {
   border-right: none;
@@ -871,8 +873,8 @@ onUnmounted(() => {
   text-align: center;
 }
 .form-submit:hover {
-  background: #3a3025;
-  border-color: #3a3025;
+  background: var(--parch-hover);
+  border-color: var(--parch-hover);
   color: var(--candle-dim);
   text-decoration: none;
 }
diff --git a/app/pages/member/account.vue b/app/pages/member/account.vue
index 686408e..a82c013 100644
--- a/app/pages/member/account.vue
+++ b/app/pages/member/account.vue
@@ -1,12 +1,12 @@
 <template>
-  <div>
+  <div class="member-account-page">
     <!-- Unauthenticated -->
     <div v-if="!memberData" class="loading">
       <p>Please sign in to access your account settings.</p>
       <button class="btn btn-primary" @click="openLoginModal({ title: 'Sign in to manage your account' })">Sign In</button>
     </div>
 
-    <div v-else>
+    <div v-else class="account-authenticated">
       <!-- PAGE HEADER -->
       <PageHeader title="Account Settings" subtitle="Manage your membership and billing" />
 
@@ -17,81 +17,100 @@
 
             <!-- LEFT COLUMN: Membership Status & Email -->
             <div class="account-col-left">
-              <div class="section-label">Current Membership</div>
+              <section class="account-section">
+                <div class="account-col-inset">
+                  <div class="section-label">Current Membership</div>
 
-              <div class="membership-card">
-                <table>
-                  <tbody>
-                    <tr>
-                      <td>Status</td>
-                      <td>
+                  <div class="membership-card">
+                    <div class="membership-row">
+                      <span class="membership-k">Status</span>
+                      <span class="membership-v">
                         <span class="status-dot" :class="memberData.status || 'active'"></span>
                         {{ memberData.status || 'Active' }}
-                      </td>
-                    </tr>
-                    <tr>
-                      <td>Circle</td>
-                      <td :style="{ color: `var(--c-${memberData.circle || 'community'})` }">
+                      </span>
+                    </div>
+                    <div class="membership-row">
+                      <span class="membership-k">Circle</span>
+                      <span class="membership-v" :style="{ color: `var(--c-${memberData.circle || 'community'})` }">
                         {{ memberData.circle || 'Community' }}
-                      </td>
-                    </tr>
-                    <tr>
-                      <td>Contribution</td>
-                      <td>${{ memberData.contributionAmount || 0 }} / month</td>
-                    </tr>
-                    <tr>
-                      <td>Member since</td>
-                      <td>{{ formatMemberSince(memberData.createdAt) }}</td>
-                    </tr>
-                  </tbody>
-                </table>
-              </div>
+                      </span>
+                    </div>
+                    <div class="membership-row">
+                      <span class="membership-k">Contribution</span>
+                      <span class="membership-v">${{ memberData.contributionTier || 0 }} / month</span>
+                    </div>
+                    <div class="membership-row">
+                      <span class="membership-k">Member since</span>
+                      <span class="membership-v">{{ formatMemberSince(memberData.createdAt) }}</span>
+                    </div>
+                  </div>
+                </div>
+              </section>
 
-              <!-- Email -->
-              <hr class="section-divider">
-              <div class="section-label">Email</div>
-              <div class="email-display">
-                <span class="email-value">{{ memberData.email }}</span>
-              </div>
-              <div class="email-hint">Used for login magic links and notifications</div>
+              <section class="account-section">
+                <div class="account-col-inset">
+                  <div class="section-label">Email</div>
+                  <div class="email-display">
+                    <span class="email-value">{{ memberData.email }}</span>
+                  </div>
+                  <div class="email-hint">Used for login magic links and notifications</div>
+                </div>
+              </section>
 
-              <!-- Danger Zone -->
-              <hr class="section-divider danger">
-              <div class="section-label danger">Danger Zone</div>
-              <div class="danger-zone">
-                <p>Cancelling your membership will immediately revoke access to member-only resources, events, and the Slack workspace. <strong>This action cannot be easily undone.</strong></p>
-                <button class="btn btn-danger" @click="handleCancelMembership" :disabled="isCancelling">
-                  {{ isCancelling ? 'Cancelling...' : 'Cancel Membership' }}
-                </button>
-              </div>
+              <section class="account-section account-section--danger">
+                <div class="account-col-inset">
+                  <div class="section-label danger">Danger Zone</div>
+                  <div class="danger-zone">
+                    <p>Cancelling your membership will immediately revoke access to member-only resources, events, and the Slack workspace. <strong>This action cannot be easily undone.</strong></p>
+                    <div v-if="showCancelConfirm" class="cancel-confirm">
+                      <p class="cancel-confirm-prompt">Are you sure? This cannot be easily undone.</p>
+                      <div class="cancel-confirm-actions">
+                        <button class="btn btn-danger" @click="confirmCancelMembership" :disabled="isCancelling">
+                          {{ isCancelling ? 'Cancelling...' : 'Yes, Cancel' }}
+                        </button>
+                        <button class="btn" @click="showCancelConfirm = false">Nevermind</button>
+                      </div>
+                    </div>
+                    <button v-else class="btn btn-danger" @click="handleCancelMembership" :disabled="isCancelling">
+                      Cancel Membership
+                    </button>
+                  </div>
+                </div>
+              </section>
             </div>
 
             <!-- RIGHT COLUMN: Change Contribution & Circle -->
             <div class="account-col-right">
-              <div class="section-label">Change Contribution</div>
+              <section class="account-section">
+                <div class="account-col-inset">
+                  <div class="section-label">Change Contribution</div>
 
-              <TierPicker v-model="selectedTier" :tiers="tiers" />
-              <div class="tier-hint">Changes take effect on your next billing cycle</div>
-              <button
-                class="btn btn-primary btn-section"
-                @click="handleUpdateTier"
-                :disabled="selectedTier === memberData.contributionAmount || isUpdating"
-              >
-                {{ isUpdating ? 'Updating...' : 'Update Contribution' }}
-              </button>
+                  <TierPicker v-model="selectedTier" :tiers="tiers" />
+                  <div class="tier-hint">Changes take effect on your next billing cycle</div>
+                  <button
+                    class="btn btn-primary btn-section"
+                    @click="handleUpdateTier"
+                    :disabled="selectedTier === Number(memberData.contributionTier || 0) || isUpdating"
+                  >
+                    {{ isUpdating ? 'Updating...' : 'Update Contribution' }}
+                  </button>
+                </div>
+              </section>
 
-              <!-- Change Circle -->
-              <hr class="section-divider">
-              <div class="section-label">Change Circle</div>
+              <section class="account-section">
+                <div class="account-col-inset">
+                  <div class="section-label">Change Circle</div>
 
-              <CirclePicker v-model="selectedCircle" :circles="circleOptions" />
-              <button
-                class="btn btn-primary btn-section"
-                @click="handleUpdateCircle"
-                :disabled="selectedCircle === memberData.circle || isUpdating"
-              >
-                {{ isUpdating ? 'Updating...' : 'Update Circle' }}
-              </button>
+                  <CirclePicker v-model="selectedCircle" :circles="circleOptions" />
+                  <button
+                    class="btn btn-primary btn-section"
+                    @click="handleUpdateCircle"
+                    :disabled="selectedCircle === memberData.circle || isUpdating"
+                  >
+                    {{ isUpdating ? 'Updating...' : 'Update Circle' }}
+                  </button>
+                </div>
+              </section>
             </div>
           </div>
         </div>
@@ -134,7 +153,7 @@ const circleOptions = [
 // Initialize from member data
 watchEffect(() => {
   if (memberData.value) {
-    selectedTier.value = memberData.value.contributionAmount || 0
+    selectedTier.value = Number(memberData.value.contributionTier || 0)
     selectedCircle.value = memberData.value.circle || 'community'
   }
 })
@@ -154,11 +173,12 @@ const handleUpdateTier = async () => {
   try {
     await $fetch('/api/members/update-contribution', {
       method: 'POST',
-      body: { amount: selectedTier.value },
+      body: { contributionTier: String(selectedTier.value) },
     })
     await checkMemberStatus()
     toast.add({ title: 'Contribution updated', color: 'green' })
   } catch (err) {
+    selectedTier.value = Number(memberData.value?.contributionTier || 0)
     toast.add({ title: 'Update failed', description: err.data?.statusMessage || 'Please try again.', color: 'red' })
   } finally {
     isUpdating.value = false
@@ -175,18 +195,30 @@ const handleUpdateCircle = async () => {
     await checkMemberStatus()
     toast.add({ title: 'Circle updated', color: 'green' })
   } catch (err) {
+    selectedCircle.value = memberData.value?.circle || 'community'
     toast.add({ title: 'Update failed', description: err.data?.statusMessage || 'Please try again.', color: 'red' })
   } finally {
     isUpdating.value = false
   }
 }
 
-const handleCancelMembership = async () => {
+const showCancelConfirm = ref(false)
+
+const handleCancelMembership = () => {
+  showCancelConfirm.value = true
+}
+
+const confirmCancelMembership = async () => {
+  showCancelConfirm.value = false
   isCancelling.value = true
   try {
-    await $fetch('/api/members/cancel', { method: 'POST' })
+    const result = await $fetch('/api/members/cancel-subscription', { method: 'POST' })
     await checkMemberStatus()
-    toast.add({ title: 'Membership cancelled', color: 'orange' })
+    if (result.message === 'No active subscription to cancel') {
+      toast.add({ title: 'No active subscription', description: 'You are on the free tier — nothing to cancel.', color: 'neutral' })
+    } else {
+      toast.add({ title: 'Membership cancelled', color: 'orange' })
+    }
   } catch (err) {
     toast.add({ title: 'Cancellation failed', description: err.data?.statusMessage || 'Please try again.', color: 'red' })
   } finally {
@@ -196,56 +228,120 @@ const handleCancelMembership = async () => {
 </script>
 
 <style scoped>
+.member-account-page {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
 .loading {
+  flex: 1;
   padding: 48px 32px;
   color: var(--text-dim);
 }
 
+.account-authenticated {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
 /* ---- CONTENT AREA ---- */
 .content-area {
+  flex: 1;
   display: grid;
   grid-template-columns: 1fr 200px;
+  align-items: stretch;
+  min-height: 0;
 }
 .page-content {
   min-width: 0;
+  align-self: stretch;
+  height: 100%;
+  min-height: 100%;
+  display: flex;
+  flex-direction: column;
 }
 
 /* ---- TWO-COLUMN LAYOUT ---- */
 .account-columns {
+  flex: 1;
   display: grid;
   grid-template-columns: 1fr 1fr;
+  align-items: stretch;
+  min-height: 0;
+}
+.account-col-left,
+.account-col-right {
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  align-self: stretch;
+  width: 100%;
+  min-width: 0;
 }
 .account-col-left {
-  padding: 24px 28px;
   border-right: 1px dashed var(--border);
 }
-.account-col-right {
-  padding: 24px 28px;
+
+/* Full-column rules: border on block-level section (no hr / flex quirks) */
+.account-section {
+  width: 100%;
+  min-width: 0;
+}
+.account-section + .account-section {
+  margin-top: 20px;
+  border-top: 1px dashed var(--border);
+  padding-top: 14px;
+}
+.account-section + .account-section.account-section--danger {
+  border-top-color: var(--ember);
+}
+
+.account-col-left > .account-section:first-child .account-col-inset,
+.account-col-right > .account-section:first-child .account-col-inset {
+  padding-top: 24px;
+}
+
+.account-col-left > .account-section:last-child .account-col-inset,
+.account-col-right > .account-section:last-child .account-col-inset {
+  padding-bottom: 24px;
+}
+
+.account-col-left .account-col-inset {
+  padding-left: 28px;
+  padding-right: 24px;
+}
+
+.account-col-right .account-col-inset {
+  padding-left: 24px;
+  padding-right: 28px;
 }
 
 /* ---- MEMBERSHIP CARD ---- */
 .membership-card {
   border: 1px dashed var(--border);
-  padding: 16px 20px;
+  padding: 0;
   margin-bottom: 12px;
 }
-.membership-card table {
-  width: 100%;
-  border-collapse: collapse;
-}
-.membership-card td {
-  padding: 4px 0;
+.membership-row {
+  display: grid;
+  grid-template-columns: 120px 1fr;
+  gap: 0 12px;
+  align-items: baseline;
+  padding: 10px 20px;
   font-size: 12px;
   border-bottom: 1px dashed var(--border);
 }
-.membership-card tr:last-child td {
+.membership-row:last-child {
   border-bottom: none;
 }
-.membership-card td:first-child {
+.membership-k {
   color: var(--text-faint);
-  width: 120px;
 }
-.membership-card td:last-child {
+.membership-v {
   color: var(--text);
 }
 
@@ -279,9 +375,6 @@ const handleCancelMembership = async () => {
 }
 
 /* ---- DANGER ZONE ---- */
-.section-divider.danger {
-  border-color: var(--ember);
-}
 .section-label.danger {
   color: var(--ember);
 }
@@ -293,6 +386,21 @@ const handleCancelMembership = async () => {
   max-width: 400px;
 }
 
+/* ---- CANCEL CONFIRM ---- */
+.cancel-confirm {
+  border: 1px dashed var(--ember);
+  padding: 14px 16px;
+}
+.cancel-confirm-prompt {
+  font-size: 12px;
+  color: var(--ember);
+  margin-bottom: 10px;
+}
+.cancel-confirm-actions {
+  display: flex;
+  gap: 8px;
+}
+
 /* ---- TIER HINT ---- */
 .tier-hint {
   font-size: 11px;
@@ -313,5 +421,10 @@ const handleCancelMembership = async () => {
     border-right: none;
     border-bottom: 1px dashed var(--border);
   }
+  .account-col-left .account-col-inset,
+  .account-col-right .account-col-inset {
+    padding-left: 28px;
+    padding-right: 28px;
+  }
 }
 </style>
diff --git a/app/pages/member/dashboard.vue b/app/pages/member/dashboard.vue
index 8f62dc7..f1ed63f 100644
--- a/app/pages/member/dashboard.vue
+++ b/app/pages/member/dashboard.vue
@@ -21,6 +21,7 @@
 
     <!-- Dashboard Content -->
     <template v-else>
+      <div class="dashboard-body">
       <!-- Member Status Banner -->
       <MemberStatusBanner :dismissible="true" />
 
@@ -149,6 +150,7 @@
           </DashedBox>
         </div>
       </div>
+      </div>
     </template>
 
     <template #fallback>
@@ -321,14 +323,22 @@ useHead({
 <style scoped>
 /* ---- DASHBOARD LAYOUT ---- */
 .dashboard {
-  max-width: 960px;
-  margin: 0 auto;
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  width: 100%;
 }
 
 /* ---- LOADING / UNAUTH STATES ---- */
 .loading-state {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
   text-align: center;
-  padding: 80px 24px;
+  padding: 48px 24px;
   color: var(--text-faint);
 }
 
@@ -357,10 +367,17 @@ useHead({
 }
 
 .unauth-state {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
   text-align: center;
-  padding: 80px 24px;
+  padding: 48px 24px;
   max-width: 400px;
+  width: 100%;
   margin: 0 auto;
+  box-sizing: border-box;
 }
 
 .unauth-state h2 {
@@ -404,10 +421,19 @@ useHead({
 }
 
 /* ---- CONTENT GRID ---- */
+.dashboard-body {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  width: 100%;
+}
+
 .content-row {
   display: grid;
   grid-template-columns: repeat(2, minmax(0, 1fr));
   border-bottom: 1px dashed var(--border);
+  align-items: stretch;
 }
 
 .content-block {
@@ -415,6 +441,7 @@ useHead({
   border-right: 1px dashed var(--border);
   min-width: 0;
   overflow-wrap: break-word;
+  align-self: stretch;
 }
 
 .content-block:last-child {
diff --git a/app/pages/member/my-updates.vue b/app/pages/member/my-updates.vue
index 716e875..7ef21d1 100644
--- a/app/pages/member/my-updates.vue
+++ b/app/pages/member/my-updates.vue
@@ -1,5 +1,5 @@
 <template>
-  <div>
+  <div class="my-updates-page">
     <PageHeader
       title="My Updates"
       subtitle="Your activity and milestones in the Guild"
@@ -312,10 +312,20 @@ useHead({
 </script>
 
 <style scoped>
+.my-updates-page {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
 /* ---- TWO-COLUMN LAYOUT ---- */
 .content-area {
+  flex: 1;
   display: grid;
   grid-template-columns: 1fr 200px;
+  align-items: stretch;
+  min-height: 0;
 }
 
 .content-main {
diff --git a/app/pages/member/profile.vue b/app/pages/member/profile.vue
index 69cf3f0..33dd161 100644
--- a/app/pages/member/profile.vue
+++ b/app/pages/member/profile.vue
@@ -1,5 +1,5 @@
 <template>
-  <div>
+  <div class="profile-page">
     <!-- Loading State -->
     <div v-if="loading" class="loading-state">
       <p style="color: var(--text-faint)">Loading your profile...</p>
@@ -16,7 +16,7 @@
       </button>
     </div>
 
-    <div v-else>
+    <div v-else class="profile-authenticated">
       <!-- PAGE HEADER -->
       <PageHeader
         title="Edit Profile"
@@ -25,11 +25,13 @@
 
       <!-- TWO-COLUMN FORM -->
       <form class="page-content" @submit.prevent="handleSubmit">
+        <div class="profile-main">
         <div class="profile-columns">
 
           <!-- ======== LEFT COLUMN ======== -->
           <div class="profile-col-left">
 
+            <div class="profile-col-inset">
             <div class="section-label">Basics</div>
 
             <div class="field">
@@ -73,9 +75,11 @@
                 </button>
               </div>
             </div>
+            </div>
 
             <!-- About You -->
-            <hr class="section-divider section-divider-left" />
+            <hr class="section-divider" />
+            <div class="profile-col-inset">
             <div class="section-label">About You</div>
 
             <div class="row-2">
@@ -103,9 +107,11 @@
               <textarea v-model="formData.bio" rows="2" placeholder="Share your background, interests, and experience..." maxlength="300"></textarea>
               <div class="char-count">{{ formData.bio?.length || 0 }} / 300</div>
             </div>
+            </div>
 
             <!-- Skills Exchange -->
-            <hr class="section-divider section-divider-left" />
+            <hr class="section-divider" />
+            <div class="profile-col-inset">
             <div class="section-label">Skills Exchange</div>
 
             <div class="field">
@@ -131,9 +137,11 @@
               <label>Details</label>
               <textarea v-model="formData.lookingFor.text" rows="2" placeholder="e.g., Seeking a business-minded co-founder for a worker co-op studio."></textarea>
             </div>
+            </div>
 
             <!-- Visibility -->
-            <hr class="section-divider section-divider-left" />
+            <hr class="section-divider" />
+            <div class="profile-col-inset">
             <div class="section-label">Visibility</div>
 
             <div class="toggle-field">
@@ -143,12 +151,14 @@
                 <span class="toggle-sub">Your profile will appear in the public member listing</span>
               </div>
             </div>
+            </div>
 
           </div>
 
           <!-- ======== RIGHT COLUMN ======== -->
           <div class="profile-col-right">
 
+            <div class="profile-col-inset">
             <div class="section-label">Peer Support</div>
 
             <div class="toggle-field">
@@ -205,9 +215,11 @@
                 <div class="char-count">{{ formData.peerSupportMessage?.length || 0 }} / 200</div>
               </div>
             </div>
+            </div>
 
             <!-- Notifications -->
-            <hr class="section-divider section-divider-right" />
+            <hr class="section-divider" />
+            <div class="profile-col-inset">
             <div class="section-label">Notifications</div>
 
             <div class="toggle-field">
@@ -233,6 +245,7 @@
                 <span class="toggle-sub">When someone wants to connect</span>
               </div>
             </div>
+            </div>
 
           </div>
 
@@ -247,6 +260,7 @@
           <span v-if="saveSuccess" class="save-msg save-msg-ok">Profile updated.</span>
           <span v-if="saveError" class="save-msg save-msg-err">{{ saveError }}</span>
         </div>
+        </div>
       </form>
     </div>
   </div>
@@ -441,7 +455,14 @@ const handleSubmit = async () => {
     // Save profile data
     await $fetch('/api/members/profile', {
       method: 'PATCH',
-      body: formData,
+      body: {
+        ...formData,
+        notifications: {
+          events: formData.notifyEvents,
+          updates: formData.notifyUpdates,
+          peerRequests: formData.notifyPeerRequests,
+        },
+      },
     })
 
     // Save peer support data separately
@@ -504,6 +525,20 @@ useHead({
 </script>
 
 <style scoped>
+.profile-page {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
+.profile-authenticated {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
 /* ---- LOADING / EMPTY STATE ---- */
 .loading-state {
   display: flex;
@@ -514,41 +549,83 @@ useHead({
   text-align: center;
 }
 
+.profile-page > .loading-state {
+  flex: 1;
+}
+
 /* ---- CONTENT AREA ---- */
 .page-content {
-  padding: 0 28px;
+  flex: 1;
   display: flex;
   flex-direction: column;
+  min-height: 0;
+  padding: 0;
+}
+
+/* Grid + save bar: one flex child so the center rule can span both */
+.profile-main {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  position: relative;
+}
+
+/* Full-height vertical rule between columns (through save bar); 1fr | 1fr grid */
+.profile-main::before {
+  display: none;
+}
+
+@media (min-width: 1025px) {
+  .profile-main::before {
+    display: block;
+    content: '';
+    position: absolute;
+    top: 0;
+    bottom: 0;
+    left: 50%;
+    width: 0;
+    border-left: 1px dashed var(--border);
+    pointer-events: none;
+  }
 }
 
 /* ---- TWO-COLUMN LAYOUT ---- */
 .profile-columns {
+  flex: 1;
   display: grid;
   grid-template-columns: 1fr 1fr;
+  grid-template-rows: 1fr;
   gap: 0;
-  flex: 1;
+  align-items: stretch;
+  min-height: 0;
+}
+
+.profile-col-left,
+.profile-col-right {
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  align-self: stretch;
 }
 
 .profile-col-left {
+  border-right: none;
+}
+
+.profile-col-left > .profile-col-inset:first-of-type,
+.profile-col-right > .profile-col-inset:first-of-type {
+  padding-top: 14px;
+}
+
+.profile-col-left .profile-col-inset {
+  padding-left: 28px;
   padding-right: 24px;
-  padding-top: 14px;
-  border-right: 1px dashed var(--border);
 }
 
-.profile-col-right {
+.profile-col-right .profile-col-inset {
   padding-left: 24px;
-  padding-top: 14px;
-}
-
-/* ---- SECTION DIVIDERS (full bleed) ---- */
-.section-divider-left {
-  margin-left: -28px;
-  margin-right: -24px;
-}
-
-.section-divider-right {
-  margin-left: -24px;
-  margin-right: -28px;
+  padding-right: 28px;
 }
 
 /* ---- MULTI-COLUMN ROWS ---- */
@@ -710,10 +787,9 @@ useHead({
 
 /* ---- SAVE BAR ---- */
 .save-bar {
-  margin-left: -28px;
-  margin-right: -28px;
-  padding: 16px 28px 24px;
-  margin-top: 20px;
+  flex-shrink: 0;
+  padding: 24px 28px 24px;
+  margin-top: 0;
   border-top: 1px dashed var(--border);
   display: flex;
   align-items: center;
@@ -737,36 +813,24 @@ useHead({
 @media (max-width: 1024px) {
   .profile-columns {
     grid-template-columns: 1fr;
+    grid-template-rows: auto;
   }
 
   .profile-col-left {
-    padding-right: 0;
     border-right: none;
     border-bottom: 1px dashed var(--border);
     padding-bottom: 20px;
     margin-bottom: 20px;
-    margin-left: -28px;
-    margin-right: -28px;
+  }
+
+  .profile-col-left .profile-col-inset,
+  .profile-col-right .profile-col-inset {
     padding-left: 28px;
     padding-right: 28px;
   }
-
-  .profile-col-right {
-    padding-left: 0;
-  }
-
-  .section-divider-left,
-  .section-divider-right {
-    margin-left: -28px;
-    margin-right: -28px;
-  }
 }
 
 @media (max-width: 768px) {
-  .page-content {
-    padding: 0 16px;
-  }
-
   .row-2 {
     grid-template-columns: 1fr;
   }
@@ -775,22 +839,13 @@ useHead({
     grid-template-columns: 1fr;
   }
 
-  .profile-col-left {
-    margin-left: -16px;
-    margin-right: -16px;
+  .profile-col-left .profile-col-inset,
+  .profile-col-right .profile-col-inset {
     padding-left: 16px;
     padding-right: 16px;
   }
 
-  .section-divider-left,
-  .section-divider-right {
-    margin-left: -16px;
-    margin-right: -16px;
-  }
-
   .save-bar {
-    margin-left: -16px;
-    margin-right: -16px;
     padding-left: 16px;
     padding-right: 16px;
     flex-wrap: wrap;
diff --git a/app/pages/series/[id].vue b/app/pages/series/[id].vue
index 5f12af8..14b3d13 100644
--- a/app/pages/series/[id].vue
+++ b/app/pages/series/[id].vue
@@ -50,12 +50,15 @@
       </div>
 
       <!-- PASS PURCHASE -->
-      <div v-if="series.passPrice" class="section">
-        <DashedBox>
-          <div class="section-label">Series Pass</div>
-          <p>Get access to all sessions in this series with a single pass.</p>
-          <div class="pass-price">${{ series.passPrice }}</div>
-        </DashedBox>
+      <div v-if="series.tickets?.enabled" class="section">
+        <SeriesPassPurchase
+          :series-id="series.id"
+          :series-info="{ id: series.id, title: series.title, totalEvents: series.totalEvents || series.events?.length || 0, type: series.type }"
+          :series-events="series.events || []"
+          :user-email="memberData?.email"
+          :user-name="memberData?.name"
+          @purchase-success="handlePurchaseSuccess"
+        />
       </div>
 
       <!-- QUESTIONS -->
@@ -70,6 +73,7 @@
 
 <script setup>
 const route = useRoute()
+const { memberData } = useAuth()
 
 const { data: series, pending, error } = await useFetch(`/api/series/${route.params.id}`)
 
@@ -96,6 +100,10 @@ const getEventStatus = (event) => {
   return 'Completed'
 }
 
+const handlePurchaseSuccess = () => {
+  refreshNuxtData()
+}
+
 useHead(() => ({
   title: series.value ? `${series.value.title} - Event Series - Ghost Guild` : 'Event Series - Ghost Guild',
   meta: [{ name: 'description', content: series.value?.description || 'Multi-event series' }],
@@ -152,13 +160,5 @@ useHead(() => ({
 .event-title-link:hover { color: var(--candle); }
 .event-status { font-size: 10px; color: var(--text-faint); margin-left: 8px; }
 
-.pass-price {
-  font-family: 'Brygada 1918', serif;
-  font-size: 22px;
-  font-weight: 600;
-  color: var(--candle);
-  margin-top: 8px;
-}
-
 .empty { font-size: 12px; color: var(--text-faint); }
 </style>
diff --git a/app/pages/updates/[id]/edit.vue b/app/pages/updates/[id]/edit.vue
new file mode 100644
index 0000000..3c1bf7e
--- /dev/null
+++ b/app/pages/updates/[id]/edit.vue
@@ -0,0 +1,157 @@
+<template>
+  <div>
+    <div class="back-link">
+      <NuxtLink to="/member/my-updates">&larr; Back to My Updates</NuxtLink>
+    </div>
+
+    <div v-if="pending" class="loading">Loading update...</div>
+
+    <template v-else-if="update">
+      <div class="form-header">
+        <h1>Edit Update</h1>
+      </div>
+
+      <form @submit.prevent="handleSubmit" class="update-form">
+        <div class="field">
+          <label class="section-label">Content</label>
+          <textarea
+            v-model="form.content"
+            rows="8"
+            required
+            :disabled="saving"
+          ></textarea>
+          <div class="char-count">{{ form.content.length }} / 50000</div>
+        </div>
+
+        <div class="field">
+          <label class="section-label">Visibility</label>
+          <select v-model="form.privacy" :disabled="saving">
+            <option value="members">Members only</option>
+            <option value="public">Public</option>
+            <option value="private">Private (only you)</option>
+          </select>
+        </div>
+
+        <div class="form-actions">
+          <NuxtLink to="/member/my-updates" class="btn">Cancel</NuxtLink>
+          <button
+            type="submit"
+            class="btn btn-primary"
+            :disabled="saving || !form.content.trim()"
+          >
+            {{ saving ? 'Saving...' : 'Save Changes' }}
+          </button>
+        </div>
+      </form>
+    </template>
+
+    <div v-else class="loading">Update not found.</div>
+  </div>
+</template>
+
+<script setup>
+definePageMeta({ middleware: 'auth' })
+
+const route = useRoute()
+const toast = useToast()
+
+const { data: update, pending } = await useFetch(`/api/updates/${route.params.id}`)
+
+const form = ref({
+  content: update.value?.content || '',
+  privacy: update.value?.privacy || 'members',
+})
+
+watch(update, (val) => {
+  if (val) {
+    form.value.content = val.content || ''
+    form.value.privacy = val.privacy || 'members'
+  }
+})
+
+const saving = ref(false)
+
+const handleSubmit = async () => {
+  saving.value = true
+  try {
+    await $fetch(`/api/updates/${route.params.id}`, {
+      method: 'PATCH',
+      body: { content: form.value.content, privacy: form.value.privacy },
+    })
+    toast.add({ title: 'Update saved!', color: 'green' })
+    navigateTo('/member/my-updates')
+  } catch (err) {
+    toast.add({
+      title: 'Failed to save update',
+      description: err.data?.statusMessage || 'Please try again.',
+      color: 'red',
+    })
+  } finally {
+    saving.value = false
+  }
+}
+
+useHead({ title: 'Edit Update - Ghost Guild' })
+</script>
+
+<style scoped>
+.back-link {
+  padding: 12px 32px;
+  border-bottom: 1px dashed var(--border);
+  font-size: 12px;
+}
+.back-link a { color: var(--candle); text-decoration: none; }
+
+.loading {
+  padding: 48px 32px;
+  font-size: 12px;
+  color: var(--text-dim);
+}
+
+.form-header {
+  padding: 28px 32px 20px;
+  border-bottom: 1px dashed var(--border);
+}
+.form-header h1 {
+  font-family: 'Brygada 1918', serif;
+  font-size: 24px;
+  font-weight: 600;
+  color: var(--text-bright);
+}
+
+.update-form {
+  padding: 24px 32px;
+  max-width: 640px;
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+.field { display: flex; flex-direction: column; gap: 6px; }
+
+textarea, select {
+  font-family: 'Commit Mono', monospace;
+  font-size: 13px;
+  background: var(--surface);
+  border: 1px dashed var(--border);
+  color: var(--text);
+  padding: 10px 12px;
+  resize: vertical;
+  width: 100%;
+}
+textarea:focus, select:focus { outline: none; border-color: var(--candle); }
+textarea:disabled, select:disabled { opacity: 0.6; }
+
+.char-count {
+  font-size: 11px;
+  color: var(--text-faint);
+  text-align: right;
+}
+
+.form-actions {
+  display: flex;
+  gap: 8px;
+  justify-content: flex-end;
+  padding-top: 4px;
+}
+</style>
diff --git a/app/pages/updates/new.vue b/app/pages/updates/new.vue
new file mode 100644
index 0000000..71daa7c
--- /dev/null
+++ b/app/pages/updates/new.vue
@@ -0,0 +1,139 @@
+<template>
+  <div>
+    <div class="back-link">
+      <NuxtLink to="/member/my-updates">&larr; Back to My Updates</NuxtLink>
+    </div>
+
+    <div class="form-header">
+      <h1>New Update</h1>
+      <p>Share what you're working on with the community</p>
+    </div>
+
+    <form @submit.prevent="handleSubmit" class="update-form">
+      <div class="field">
+        <label class="section-label">Content</label>
+        <textarea
+          v-model="form.content"
+          rows="8"
+          required
+          placeholder="What's on your mind? Share a project update, milestone, or thought..."
+          :disabled="saving"
+        ></textarea>
+        <div class="char-count">{{ form.content.length }} / 50000</div>
+      </div>
+
+      <div class="field">
+        <label class="section-label">Visibility</label>
+        <select v-model="form.privacy" :disabled="saving">
+          <option value="members">Members only</option>
+          <option value="public">Public</option>
+          <option value="private">Private (only you)</option>
+        </select>
+      </div>
+
+      <div class="form-actions">
+        <NuxtLink to="/member/my-updates" class="btn">Cancel</NuxtLink>
+        <button
+          type="submit"
+          class="btn btn-primary"
+          :disabled="saving || !form.content.trim()"
+        >
+          {{ saving ? 'Posting...' : 'Post Update' }}
+        </button>
+      </div>
+    </form>
+  </div>
+</template>
+
+<script setup>
+definePageMeta({ middleware: 'auth' })
+
+const toast = useToast()
+
+const form = ref({
+  content: '',
+  privacy: 'members',
+})
+const saving = ref(false)
+
+const handleSubmit = async () => {
+  saving.value = true
+  try {
+    await $fetch('/api/updates', {
+      method: 'POST',
+      body: { content: form.value.content, privacy: form.value.privacy },
+    })
+    toast.add({ title: 'Update posted!', color: 'green' })
+    navigateTo('/member/my-updates')
+  } catch (err) {
+    toast.add({
+      title: 'Failed to post update',
+      description: err.data?.statusMessage || 'Please try again.',
+      color: 'red',
+    })
+  } finally {
+    saving.value = false
+  }
+}
+
+useHead({ title: 'New Update - Ghost Guild' })
+</script>
+
+<style scoped>
+.back-link {
+  padding: 12px 32px;
+  border-bottom: 1px dashed var(--border);
+  font-size: 12px;
+}
+.back-link a { color: var(--candle); text-decoration: none; }
+
+.form-header {
+  padding: 28px 32px 0;
+  border-bottom: 1px dashed var(--border);
+  padding-bottom: 20px;
+}
+.form-header h1 {
+  font-family: 'Brygada 1918', serif;
+  font-size: 24px;
+  font-weight: 600;
+  color: var(--text-bright);
+  margin-bottom: 4px;
+}
+.form-header p { font-size: 12px; color: var(--text-dim); }
+
+.update-form {
+  padding: 24px 32px;
+  max-width: 640px;
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+.field { display: flex; flex-direction: column; gap: 6px; }
+
+textarea, select {
+  font-family: 'Commit Mono', monospace;
+  font-size: 13px;
+  background: var(--surface);
+  border: 1px dashed var(--border);
+  color: var(--text);
+  padding: 10px 12px;
+  resize: vertical;
+  width: 100%;
+}
+textarea:focus, select:focus { outline: none; border-color: var(--candle); }
+textarea:disabled, select:disabled { opacity: 0.6; }
+
+.char-count {
+  font-size: 11px;
+  color: var(--text-faint);
+  text-align: right;
+}
+
+.form-actions {
+  display: flex;
+  gap: 8px;
+  justify-content: flex-end;
+  padding-top: 4px;
+}
+</style>
diff --git a/app/pages/verify.vue b/app/pages/verify.vue
new file mode 100644
index 0000000..16fb6a3
--- /dev/null
+++ b/app/pages/verify.vue
@@ -0,0 +1,80 @@
+<template>
+  <div class="verify-page">
+    <div class="verify-box">
+      <div v-if="state === 'verifying'" class="verify-status">
+        <div class="section-label">Ghost Guild</div>
+        <p>Verifying your login link&hellip;</p>
+      </div>
+
+      <div v-else-if="state === 'error'" class="verify-status">
+        <div class="section-label">Login Failed</div>
+        <p class="error-msg">{{ errorMessage }}</p>
+        <NuxtLink to="/" class="btn btn-primary">Back to home</NuxtLink>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup>
+definePageMeta({ layout: false })
+
+const state = ref('verifying')
+const errorMessage = ref('')
+
+onMounted(async () => {
+  const hash = window.location.hash.slice(1)
+
+  if (!hash) {
+    state.value = 'error'
+    errorMessage.value = 'No login token found. Please request a new login link.'
+    return
+  }
+
+  try {
+    const data = await $fetch('/api/auth/verify', {
+      method: 'POST',
+      body: { token: hash },
+    })
+
+    await navigateTo(data.redirectUrl, { replace: true })
+  } catch (err) {
+    state.value = 'error'
+    const status = err?.response?.status
+    if (status === 401) {
+      errorMessage.value = 'This login link is invalid or has expired. Please request a new one.'
+    } else if (status === 403) {
+      errorMessage.value = err?.data?.statusMessage || 'Your account is not active. Please contact support.'
+    } else {
+      errorMessage.value = 'Something went wrong. Please try again or request a new login link.'
+    }
+  }
+})
+</script>
+
+<style scoped>
+.verify-page {
+  min-height: 100vh;
+  background: var(--bg);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 2rem;
+}
+
+.verify-box {
+  border: 1px dashed var(--border);
+  padding: 2rem 2.5rem;
+  max-width: 420px;
+  width: 100%;
+}
+
+.verify-status {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+}
+
+.error-msg {
+  color: var(--ember);
+}
+</style>
diff --git a/server/api/admin/members/[id].put.js b/server/api/admin/members/[id].put.js
new file mode 100644
index 0000000..fa5aac2
--- /dev/null
+++ b/server/api/admin/members/[id].put.js
@@ -0,0 +1,42 @@
+import Member from '../../../models/member.js'
+import { connectDB } from '../../../utils/mongoose.js'
+
+export default defineEventHandler(async (event) => {
+  await requireAdmin(event)
+
+  const body = await validateBody(event, adminMemberUpdateSchema)
+  const memberId = getRouterParam(event, 'id')
+
+  await connectDB()
+
+  // If email changed, check for duplicates
+  const existing = await Member.findById(memberId)
+  if (!existing) {
+    throw createError({ statusCode: 404, statusMessage: 'Member not found' })
+  }
+
+  if (body.email !== existing.email) {
+    const emailTaken = await Member.findOne({ email: body.email })
+    if (emailTaken) {
+      throw createError({ statusCode: 409, statusMessage: 'Email already in use by another member' })
+    }
+  }
+
+  const updated = await Member.findByIdAndUpdate(memberId, {
+    name: body.name,
+    email: body.email,
+    circle: body.circle,
+    contributionTier: body.contributionTier,
+    status: body.status,
+  }, { new: true })
+
+  return {
+    _id: updated._id,
+    name: updated.name,
+    email: updated.email,
+    circle: updated.circle,
+    contributionTier: updated.contributionTier,
+    status: updated.status,
+    role: updated.role,
+  }
+})
diff --git a/server/api/admin/members/invite.post.js b/server/api/admin/members/invite.post.js
index ded0799..70e1c76 100644
--- a/server/api/admin/members/invite.post.js
+++ b/server/api/admin/members/invite.post.js
@@ -1,4 +1,5 @@
 import jwt from 'jsonwebtoken'
+import { randomUUID } from 'crypto'
 import { Resend } from 'resend'
 import Member from '../../../models/member.js'
 import { connectDB } from '../../../utils/mongoose.js'
@@ -10,12 +11,12 @@ export default defineEventHandler(async (event) => {
   const { memberIds, emailTemplate } = await validateBody(event, memberInviteSchema)
   await connectDB()
 
-  const config = useRuntimeConfig(event)
-  const headers = getHeaders(event)
-  const baseUrl =
-    process.env.BASE_URL ||
-    `${headers.host?.includes('localhost') ? 'http' : 'https'}://${headers.host}`
+  const baseUrl = process.env.BASE_URL
+  if (!baseUrl) {
+    throw createError({ statusCode: 500, statusMessage: 'BASE_URL environment variable is not set' })
+  }
 
+  const config = useRuntimeConfig(event)
   const members = await Member.find({ _id: { $in: memberIds } })
 
   if (members.length === 0) {
@@ -28,15 +29,32 @@ export default defineEventHandler(async (event) => {
   const results = []
 
   for (const member of members) {
+    // Skip suspended/cancelled — do not reactivate silently
+    if (member.status === 'suspended' || member.status === 'cancelled') {
+      results.push({
+        memberId: member._id,
+        email: member.email,
+        success: false,
+        error: `Skipped: account is ${member.status}`,
+      })
+      continue
+    }
+
     try {
-      // Generate 48-hour magic login token (same format as login.post.js)
+      // Generate single-use invite token (48h), same jti pattern as login.post.js
+      const jti = randomUUID()
       const token = jwt.sign(
-        { memberId: member._id },
+        { memberId: member._id, jti },
         config.jwtSecret,
-        { expiresIn: '48h' }
+        { expiresIn: '48h' },
       )
 
-      const loginLink = `${baseUrl}/api/auth/verify?token=${token}`
+      // Store jti for single-use enforcement in verify.post.js
+      member.magicLinkJti = jti
+      member.magicLinkJtiUsed = false
+
+      // Token in fragment — never hits server logs
+      const loginLink = `${baseUrl}/verify#${token}`
 
       // Interpolate template variables
       const emailText = emailTemplate
@@ -59,9 +77,9 @@ export default defineEventHandler(async (event) => {
       const { error: emailError } = await resend.emails.send({
         from: 'Ghost Guild <welcome@babyghosts.org>',
         to: [member.email],
-        subject: 'You\'re invited to Ghost Guild',
+        subject: "You're invited to Ghost Guild",
         text: emailText,
-        html: emailHtml
+        html: emailHtml,
       })
 
       if (emailError) {
diff --git a/server/api/auth/member.get.js b/server/api/auth/member.get.js
index 146d13e..048b767 100644
--- a/server/api/auth/member.get.js
+++ b/server/api/auth/member.get.js
@@ -8,6 +8,7 @@ export default defineEventHandler(async (event) => {
     id: member._id,
     email: member.email,
     name: member.name,
+    status: member.status,
     role: member.role || 'member',
     circle: member.circle,
     contributionTier: member.contributionTier,
@@ -23,8 +24,11 @@ export default defineEventHandler(async (event) => {
     offering: member.offering,
     lookingFor: member.lookingFor,
     showInDirectory: member.showInDirectory,
+    notifications: member.notifications,
     privacy: member.privacy,
     // Peer support
     peerSupport: member.peerSupport,
+    // Timestamps
+    createdAt: member.createdAt,
   };
 });
diff --git a/server/api/auth/refresh.post.js b/server/api/auth/refresh.post.js
index 482fef9..88c4423 100644
--- a/server/api/auth/refresh.post.js
+++ b/server/api/auth/refresh.post.js
@@ -40,9 +40,16 @@ export default defineEventHandler(async (event) => {
     })
   }
 
-  // Issue a fresh token
+  if (decoded.tv !== member.tokenVersion) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Session has been revoked'
+    })
+  }
+
+  // Issue a fresh token with current tokenVersion
   const newToken = jwt.sign(
-    { memberId: member._id, email: member.email },
+    { memberId: member._id, email: member.email, tv: member.tokenVersion },
     useRuntimeConfig().jwtSecret,
     { expiresIn: '7d' }
   )
@@ -51,7 +58,8 @@ export default defineEventHandler(async (event) => {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: 'lax',
-    maxAge: 60 * 60 * 24 * 7 // 7 days
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7, // 7 days
   })
 
   return { success: true }
diff --git a/server/api/auth/status.get.js b/server/api/auth/status.get.js
index ec47164..08928a3 100644
--- a/server/api/auth/status.get.js
+++ b/server/api/auth/status.get.js
@@ -19,7 +19,7 @@ export default defineEventHandler(async (event) => {
     }
 
     if (member.status === 'suspended' || member.status === 'cancelled') {
-      return { authenticated: false, member: null, reason: 'account_' + member.status }
+      return { authenticated: false, member: null }
     }
 
     return { 
@@ -29,6 +29,7 @@ export default defineEventHandler(async (event) => {
         email: member.email,
         name: member.name,
         circle: member.circle,
+        status: member.status,
         contributionTier: member.contributionTier,
         membershipLevel: `${member.circle}-${member.contributionTier}`
       }
diff --git a/server/api/dev/member-login.get.js b/server/api/dev/member-login.get.js
new file mode 100644
index 0000000..df4cd03
--- /dev/null
+++ b/server/api/dev/member-login.get.js
@@ -0,0 +1,41 @@
+import jwt from 'jsonwebtoken'
+import Member from '../../models/member.js'
+import { connectDB } from '../../utils/mongoose.js'
+
+export default defineEventHandler(async (event) => {
+  // Only allow in development
+  if (process.env.NODE_ENV === 'production') {
+    throw createError({ statusCode: 404, statusMessage: 'Not found' })
+  }
+
+  const query = getQuery(event)
+  const email = query.email
+
+  if (!email) {
+    throw createError({ statusCode: 400, statusMessage: 'email query param required' })
+  }
+
+  await connectDB()
+
+  const member = await Member.findOne({ email: email.toLowerCase() })
+
+  if (!member) {
+    throw createError({ statusCode: 404, statusMessage: `No member found with email: ${email}` })
+  }
+
+  const config = useRuntimeConfig(event)
+  const token = jwt.sign(
+    { memberId: member._id, email: member.email },
+    config.jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', token, {
+    httpOnly: true,
+    secure: false,
+    sameSite: 'lax',
+    maxAge: 60 * 60 * 24 * 7,
+  })
+
+  await sendRedirect(event, '/member/account', 302)
+})
diff --git a/server/api/events/[id]/cancel-registration.post.js b/server/api/events/[id]/cancel-registration.post.js
index a0dee6e..db20c62 100644
--- a/server/api/events/[id]/cancel-registration.post.js
+++ b/server/api/events/[id]/cancel-registration.post.js
@@ -3,12 +3,15 @@ import {
   sendEventCancellationEmail,
   sendWaitlistNotificationEmail,
 } from "../../../utils/resend.js";
+import { connectDB } from "../../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
   const id = getRouterParam(event, "id");
   const body = await validateBody(event, cancelRegistrationSchema);
   const { email } = body;
 
+  await connectDB();
+
   try {
     // Check if id is a valid ObjectId or treat as slug
     const isObjectId = /^[0-9a-fA-F]{24}$/.test(id);
@@ -46,13 +49,15 @@ export default defineEventHandler(async (event) => {
         eventDoc.registrations[registrationIndex].membershipLevel,
     };
 
-    // Remove the registration
-    eventDoc.registrations.splice(registrationIndex, 1);
-
-    // Update registered count
-    eventDoc.registeredCount = eventDoc.registrations.length;
-
-    await eventDoc.save();
+    // Use $pull to avoid re-validating the whole document (e.g. legacy location formats)
+    await Event.findByIdAndUpdate(
+      eventDoc._id,
+      {
+        $pull: { registrations: { email: registration.email } },
+        $inc: { registeredCount: -1 },
+      },
+      { runValidators: false }
+    );
 
     // Send cancellation confirmation email
     try {
@@ -90,9 +95,13 @@ export default defineEventHandler(async (event) => {
         if (waitlistEntry) {
           await sendWaitlistNotificationEmail(waitlistEntry, eventData);
 
-          // Mark as notified
-          waitlistEntry.notified = true;
-          await eventDoc.save();
+          // Mark as notified using findByIdAndUpdate to avoid re-validating the document
+          const entryIndex = eventDoc.tickets.waitlist.entries.indexOf(waitlistEntry);
+          await Event.findByIdAndUpdate(
+            eventDoc._id,
+            { $set: { [`tickets.waitlist.entries.${entryIndex}.notified`]: true } },
+            { runValidators: false }
+          );
         }
       } catch (waitlistError) {
         // Log error but don't fail the cancellation
diff --git a/server/api/events/[id]/register.post.js b/server/api/events/[id]/register.post.js
index ce2bbcb..e82b845 100644
--- a/server/api/events/[id]/register.post.js
+++ b/server/api/events/[id]/register.post.js
@@ -76,8 +76,8 @@ export default defineEventHandler(async (event) => {
 
     // If event requires payment and user is not a member, redirect to payment flow
     if (
-      eventData.pricing.paymentRequired &&
-      !eventData.pricing.isFree &&
+      eventData.pricing?.paymentRequired &&
+      !eventData.pricing?.isFree &&
       !member
     ) {
       throw createError({
@@ -109,10 +109,13 @@ export default defineEventHandler(async (event) => {
       registeredAt: new Date(),
     };
 
-    eventData.registrations.push(registration);
-
-    // Save the updated event
-    await eventData.save();
+    // Use $push to avoid re-validating the whole document (e.g. legacy location formats)
+    const result = await Event.findByIdAndUpdate(
+      eventData._id,
+      { $push: { registrations: registration } },
+      { new: true, runValidators: false }
+    );
+    const newRegistration = result.registrations[result.registrations.length - 1];
 
     // Send confirmation email using Resend
     try {
@@ -125,8 +128,7 @@ export default defineEventHandler(async (event) => {
     return {
       success: true,
       message: "Successfully registered for the event",
-      registrationId:
-        eventData.registrations[eventData.registrations.length - 1]._id,
+      registrationId: newRegistration._id,
     };
   } catch (error) {
     console.error("Error registering for event:", error);
diff --git a/server/api/helcim/create-plan.post.js b/server/api/helcim/create-plan.post.js
index 96b0314..c1565e6 100644
--- a/server/api/helcim/create-plan.post.js
+++ b/server/api/helcim/create-plan.post.js
@@ -7,7 +7,7 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const body = await validateBody(event, helcimCreatePlanSchema)
 
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
 
 
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
diff --git a/server/api/helcim/customer-code.get.js b/server/api/helcim/customer-code.get.js
index 9f9d406..df2253e 100644
--- a/server/api/helcim/customer-code.get.js
+++ b/server/api/helcim/customer-code.get.js
@@ -45,7 +45,7 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
 
     const response = await fetch(
       `${HELCIM_API_BASE}/customers/${member.helcimCustomerId}`,
diff --git a/server/api/helcim/customer.post.js b/server/api/helcim/customer.post.js
index 9393d06..fced502 100644
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     }
 
     // Get token directly from environment if not in config
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
     
     if (!helcimToken) {
       throw createError({
diff --git a/server/api/helcim/get-or-create-customer.post.js b/server/api/helcim/get-or-create-customer.post.js
index 52a6abc..34baf28 100644
--- a/server/api/helcim/get-or-create-customer.post.js
+++ b/server/api/helcim/get-or-create-customer.post.js
@@ -38,7 +38,7 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
 
     // First, search for existing customer
     try {
diff --git a/server/api/helcim/initialize-payment.post.js b/server/api/helcim/initialize-payment.post.js
index 7064cba..f14c6ea 100644
--- a/server/api/helcim/initialize-payment.post.js
+++ b/server/api/helcim/initialize-payment.post.js
@@ -5,16 +5,16 @@ const HELCIM_API_BASE = "https://api.helcim.com/v2";
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event);
     const config = useRuntimeConfig(event);
     const body = await validateBody(event, helcimInitializePaymentSchema);
 
-
-    const helcimToken =
-      config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
-
-    // Determine payment type based on whether this is for a subscription or one-time payment
+    // Event ticket purchases can be made without authentication
     const isEventTicket = body.metadata?.type === "event_ticket";
+    if (!isEventTicket) {
+      await requireAuth(event);
+    }
+
+    const helcimToken = config.helcimApiToken;
     const amount = body.amount || 0;
 
     // For event tickets with amount > 0, we do a purchase
diff --git a/server/api/helcim/plans.get.js b/server/api/helcim/plans.get.js
index 12278db..6621987 100644
--- a/server/api/helcim/plans.get.js
+++ b/server/api/helcim/plans.get.js
@@ -5,7 +5,7 @@ export default defineEventHandler(async (event) => {
   try {
     await requireAdmin(event)
     const config = useRuntimeConfig(event)
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
     
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
       method: 'GET',
diff --git a/server/api/helcim/subscription.post.js b/server/api/helcim/subscription.post.js
index f5ebd3e..1bb9f32 100644
--- a/server/api/helcim/subscription.post.js
+++ b/server/api/helcim/subscription.post.js
@@ -157,7 +157,7 @@ export default defineEventHandler(async (event) => {
     }
 
     // Try to create subscription in Helcim
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
     
     // Generate a proper alphanumeric idempotency key (exactly 25 characters)
     const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
diff --git a/server/api/helcim/subscriptions.get.js b/server/api/helcim/subscriptions.get.js
index 6a29d44..6636503 100644
--- a/server/api/helcim/subscriptions.get.js
+++ b/server/api/helcim/subscriptions.get.js
@@ -5,7 +5,7 @@ export default defineEventHandler(async (event) => {
   try {
     await requireAdmin(event)
     const config = useRuntimeConfig(event)
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
     
     const response = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
       method: 'GET',
diff --git a/server/api/helcim/update-billing.post.js b/server/api/helcim/update-billing.post.js
index 08054b3..5c4fdac 100644
--- a/server/api/helcim/update-billing.post.js
+++ b/server/api/helcim/update-billing.post.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
 
     const { billingAddress } = body
 
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
     
     // Update customer billing address in Helcim
     const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}`, {
diff --git a/server/api/helcim/verify-payment.post.js b/server/api/helcim/verify-payment.post.js
index 16fc074..1d0741c 100644
--- a/server/api/helcim/verify-payment.post.js
+++ b/server/api/helcim/verify-payment.post.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const body = await validateBody(event, paymentVerifySchema)
 
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
 
     if (!helcimToken) {
       throw createError({
diff --git a/server/api/members/cancel-subscription.post.js b/server/api/members/cancel-subscription.post.js
index 5c7b30f..83c5b04 100644
--- a/server/api/members/cancel-subscription.post.js
+++ b/server/api/members/cancel-subscription.post.js
@@ -18,8 +18,7 @@ export default defineEventHandler(async (event) => {
       };
     }
 
-    const helcimToken =
-      config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
+    const helcimToken = config.helcimApiToken;
 
     try {
       // Cancel Helcim subscription
diff --git a/server/api/members/directory.get.js b/server/api/members/directory.get.js
index 3598647..ef78beb 100644
--- a/server/api/members/directory.get.js
+++ b/server/api/members/directory.get.js
@@ -89,7 +89,7 @@ export default defineEventHandler(async (event) => {
   try {
     const members = await Member.find(dbQuery)
       .select(
-        "name pronouns timeZone avatar studio bio location socialLinks offering lookingFor privacy circle peerSupport slackUserId createdAt",
+        "name pronouns timeZone avatar studio bio location socialLinks offering lookingFor privacy circle peerSupport createdAt",
       )
       .sort({ createdAt: -1 })
       .lean();
@@ -124,10 +124,15 @@ export default defineEventHandler(async (event) => {
       if (isVisible("offering")) filtered.offering = member.offering;
       if (isVisible("lookingFor")) filtered.lookingFor = member.lookingFor;
 
-      // Always show peer support if enabled (it's opt-in, so public by nature)
+      // Peer support: expose only fields needed for matching/contact UX
+      // slackUserId, slackDMChannelId, slackUsername, personalMessage are internal
       if (member.peerSupport?.enabled) {
-        filtered.peerSupport = member.peerSupport;
-        filtered.slackUserId = member.slackUserId;
+        filtered.peerSupport = {
+          enabled: true,
+          skillTopics: member.peerSupport.skillTopics,
+          supportTopics: member.peerSupport.supportTopics,
+          availability: member.peerSupport.availability,
+        };
       }
 
       return filtered;
diff --git a/server/api/members/me/peer-support.patch.js b/server/api/members/me/peer-support.patch.js
index 6afb963..c3d51ea 100644
--- a/server/api/members/me/peer-support.patch.js
+++ b/server/api/members/me/peer-support.patch.js
@@ -1,120 +1,89 @@
-import jwt from "jsonwebtoken";
-import Member from "../../../models/member.js";
-import { connectDB } from "../../../utils/mongoose.js";
+import Member from '../../../models/member.js'
+import { connectDB } from '../../../utils/mongoose.js'
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
+  await connectDB()
+  const member = await requireAuth(event)
 
-  const token = getCookie(event, "auth-token");
-
-  if (!token) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Not authenticated",
-    });
-  }
-
-  let memberId;
-  try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
-    memberId = decoded.memberId;
-  } catch (err) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Invalid or expired token",
-    });
-  }
-
-  const body = await validateBody(event, peerSupportUpdateSchema);
+  const body = await validateBody(event, peerSupportUpdateSchema)
 
   // Build update object for peer support settings
   const updateData = {
-    "peerSupport.enabled": body.enabled || false,
-    "peerSupport.skillTopics": body.skillTopics || [],
-    "peerSupport.supportTopics": body.supportTopics || [],
-    "peerSupport.availability": body.availability || "",
-    "peerSupport.personalMessage": body.personalMessage || "",
-    "peerSupport.slackUsername": body.slackUsername || "",
-  };
+    'peerSupport.enabled': body.enabled || false,
+    'peerSupport.skillTopics': body.skillTopics || [],
+    'peerSupport.supportTopics': body.supportTopics || [],
+    'peerSupport.availability': body.availability || '',
+    'peerSupport.personalMessage': body.personalMessage || '',
+    'peerSupport.slackUsername': body.slackUsername || '',
+  }
 
   // If Slack username provided and peer support enabled, try to fetch Slack user ID
   if (body.enabled && body.slackUsername) {
     try {
       console.log(
         `[Peer Support] Attempting to fetch Slack user ID for: ${body.slackUsername}`,
-      );
+      )
 
-      // Dynamically import the Slack service
-      const { getSlackService } = await import("../../../utils/slack.ts");
-      const slackService = getSlackService();
+      const { getSlackService } = await import('../../../utils/slack.ts')
+      const slackService = getSlackService()
 
       if (slackService) {
-        console.log(
-          "[Peer Support] Slack service initialized, looking up user...",
-        );
-        const slackUserId = await slackService.findUserIdByUsername(
-          body.slackUsername,
-        );
+        console.log('[Peer Support] Slack service initialized, looking up user...')
+        const slackUserId = await slackService.findUserIdByUsername(body.slackUsername)
 
         if (slackUserId) {
-          updateData["slackUserId"] = slackUserId;
+          updateData['slackUserId'] = slackUserId
           console.log(
             `[Peer Support] ✓ Found Slack user ID for ${body.slackUsername}: ${slackUserId}`,
-          );
+          )
 
-          // Now get/create the DM channel
-          console.log("[Peer Support] Opening DM channel...");
-          const dmChannelId = await slackService.openDMChannel(slackUserId);
+          console.log('[Peer Support] Opening DM channel...')
+          const dmChannelId = await slackService.openDMChannel(slackUserId)
 
           if (dmChannelId) {
-            updateData["peerSupport.slackDMChannelId"] = dmChannelId;
-            console.log(`[Peer Support] ✓ Got DM channel ID: ${dmChannelId}`);
+            updateData['peerSupport.slackDMChannelId'] = dmChannelId
+            console.log(`[Peer Support] ✓ Got DM channel ID: ${dmChannelId}`)
           } else {
-            console.warn("[Peer Support] Could not get DM channel ID");
+            console.warn('[Peer Support] Could not get DM channel ID')
           }
         } else {
           console.warn(
             `[Peer Support] Could not find Slack user ID for username: ${body.slackUsername}`,
-          );
+          )
         }
       } else {
-        console.log(
-          "[Peer Support] Slack service not configured, skipping user ID lookup",
-        );
+        console.log('[Peer Support] Slack service not configured, skipping user ID lookup')
       }
     } catch (error) {
-      console.error(
-        "[Peer Support] Error fetching Slack user ID:",
-        error.message,
-      );
-      console.error("[Peer Support] Stack trace:", error.stack);
+      console.error('[Peer Support] Error fetching Slack user ID:', error.message)
+      console.error('[Peer Support] Stack trace:', error.stack)
       // Continue anyway - we'll still save the username
     }
   }
 
   try {
-    const member = await Member.findByIdAndUpdate(
-      memberId,
+    const updated = await Member.findByIdAndUpdate(
+      member._id,
       { $set: updateData },
       { new: true, runValidators: true },
-    );
+    )
 
-    if (!member) {
+    if (!updated) {
       throw createError({
         statusCode: 404,
-        statusMessage: "Member not found",
-      });
+        statusMessage: 'Member not found',
+      })
     }
 
     return {
       success: true,
-      peerSupport: member.peerSupport,
-    };
+      peerSupport: updated.peerSupport,
+    }
   } catch (error) {
-    console.error("Peer support update error:", error);
+    console.error('Peer support update error:', error)
     throw createError({
       statusCode: 500,
-      statusMessage: "Failed to update peer support settings",
-    });
+      statusMessage: 'Failed to update peer support settings',
+    })
   }
-});
+})
diff --git a/server/api/members/my-calendar.get.js b/server/api/members/my-calendar.get.js
index ab45f60..91fe918 100644
--- a/server/api/members/my-calendar.get.js
+++ b/server/api/members/my-calendar.get.js
@@ -1,114 +1,94 @@
-import Event from "../../models/event";
-import Member from "../../models/member";
+import { connectDB } from '../../utils/mongoose.js'
+import Event from '../../models/event'
 
 export default defineEventHandler(async (event) => {
-  const query = getQuery(event);
-  const { memberId } = query;
-
-  if (!memberId) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Member ID is required",
-    });
-  }
+  await connectDB()
+  const member = await requireAuth(event)
 
   try {
-    // Verify member exists
-    const member = await Member.findById(memberId);
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
-
-    // Find all events where the user is registered
     const events = await Event.find({
-      "registrations.memberId": memberId,
+      'registrations.memberId': member._id,
       isCancelled: { $ne: true },
     })
-      .select("title slug description startDate endDate location")
-      .sort({ startDate: 1 });
+      .select('title slug description startDate endDate location')
+      .sort({ startDate: 1 })
 
-    // Generate iCal format
-    const ical = generateICalendar(events, member);
+    const ical = generateICalendar(events, member)
 
-    // Set headers for calendar subscription (not download)
-    setHeader(event, "Content-Type", "text/calendar; charset=utf-8");
-    setHeader(event, "Cache-Control", "no-cache, no-store, must-revalidate");
-    setHeader(event, "Pragma", "no-cache");
-    setHeader(event, "Expires", "0");
+    setHeader(event, 'Content-Type', 'text/calendar; charset=utf-8')
+    setHeader(event, 'Cache-Control', 'no-cache, no-store, must-revalidate')
+    setHeader(event, 'Pragma', 'no-cache')
+    setHeader(event, 'Expires', '0')
 
-    return ical;
+    return ical
   } catch (error) {
-    console.error("Error generating calendar:", error);
+    console.error('Error generating calendar:', error)
 
     if (error.statusCode) {
-      throw error;
+      throw error
     }
 
     throw createError({
       statusCode: 500,
-      statusMessage: "Failed to generate calendar",
-    });
+      statusMessage: 'Failed to generate calendar',
+    })
   }
-});
+})
 
 function generateICalendar(events, member) {
-  const now = new Date();
+  const now = new Date()
   const timestamp = now
     .toISOString()
-    .replace(/[-:]/g, "")
-    .replace(/\.\d{3}/, "");
+    .replace(/[-:]/g, '')
+    .replace(/\.\d{3}/, '')
 
   let ical = [
-    "BEGIN:VCALENDAR",
-    "VERSION:2.0",
-    "PRODID:-//Ghost Guild//Events Calendar//EN",
-    "CALSCALE:GREGORIAN",
-    "METHOD:PUBLISH",
-    "X-WR-CALNAME:Ghost Guild - My Events",
-    "X-WR-TIMEZONE:UTC",
-    "X-WR-CALDESC:Your registered Ghost Guild events",
-    "REFRESH-INTERVAL;VALUE=DURATION:PT1H",
-    "X-PUBLISHED-TTL:PT1H",
-  ];
+    'BEGIN:VCALENDAR',
+    'VERSION:2.0',
+    'PRODID:-//Ghost Guild//Events Calendar//EN',
+    'CALSCALE:GREGORIAN',
+    'METHOD:PUBLISH',
+    'X-WR-CALNAME:Ghost Guild - My Events',
+    'X-WR-TIMEZONE:UTC',
+    'X-WR-CALDESC:Your registered Ghost Guild events',
+    'REFRESH-INTERVAL;VALUE=DURATION:PT1H',
+    'X-PUBLISHED-TTL:PT1H',
+  ]
 
   events.forEach((evt) => {
-    const eventStart = new Date(evt.startDate);
-    const eventEnd = new Date(evt.endDate);
+    const eventStart = new Date(evt.startDate)
+    const eventEnd = new Date(evt.endDate)
 
     const dtstart = eventStart
       .toISOString()
-      .replace(/[-:]/g, "")
-      .replace(/\.\d{3}/, "");
+      .replace(/[-:]/g, '')
+      .replace(/\.\d{3}/, '')
     const dtend = eventEnd
       .toISOString()
-      .replace(/[-:]/g, "")
-      .replace(/\.\d{3}/, "");
-    const dtstamp = timestamp;
+      .replace(/[-:]/g, '')
+      .replace(/\.\d{3}/, '')
+    const dtstamp = timestamp
 
-    // Clean description for iCal format
-    const description = (evt.description || "")
-      .replace(/\n/g, "\\n")
-      .replace(/,/g, "\\,");
+    const description = (evt.description || '')
+      .replace(/\n/g, '\\n')
+      .replace(/,/g, '\\,')
 
-    const eventUrl = `https://ghostguild.org/events/${evt.slug || evt._id}`;
+    const eventUrl = `https://ghostguild.org/events/${evt.slug || evt._id}`
 
-    ical.push("BEGIN:VEVENT");
-    ical.push(`UID:${evt._id}@ghostguild.org`);
-    ical.push(`DTSTAMP:${dtstamp}`);
-    ical.push(`DTSTART:${dtstart}`);
-    ical.push(`DTEND:${dtend}`);
-    ical.push(`SUMMARY:${evt.title}`);
-    ical.push(`DESCRIPTION:${description}\\n\\nView event: ${eventUrl}`);
-    ical.push(`LOCATION:${evt.location || "Online"}`);
-    ical.push(`URL:${eventUrl}`);
-    ical.push(`STATUS:CONFIRMED`);
-    ical.push("END:VEVENT");
-  });
+    ical.push('BEGIN:VEVENT')
+    ical.push(`UID:${evt._id}@ghostguild.org`)
+    ical.push(`DTSTAMP:${dtstamp}`)
+    ical.push(`DTSTART:${dtstart}`)
+    ical.push(`DTEND:${dtend}`)
+    ical.push(`SUMMARY:${evt.title}`)
+    ical.push(`DESCRIPTION:${description}\\n\\nView event: ${eventUrl}`)
+    ical.push(`LOCATION:${evt.location || 'Online'}`)
+    ical.push(`URL:${eventUrl}`)
+    ical.push('STATUS:CONFIRMED')
+    ical.push('END:VEVENT')
+  })
 
-  ical.push("END:VCALENDAR");
+  ical.push('END:VCALENDAR')
 
-  return ical.join("\r\n");
+  return ical.join('\r\n')
 }
diff --git a/server/api/members/my-events.get.js b/server/api/members/my-events.get.js
index f87cbf6..718d822 100644
--- a/server/api/members/my-events.get.js
+++ b/server/api/members/my-events.get.js
@@ -1,60 +1,36 @@
-import Event from "../../models/event";
-import Member from "../../models/member";
+import { connectDB } from '../../utils/mongoose.js'
+import Event from '../../models/event'
 
 export default defineEventHandler(async (event) => {
-  const query = getQuery(event);
-  const { memberId } = query;
-
-  if (!memberId) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Member ID is required",
-    });
-  }
+  await connectDB()
+  const member = await requireAuth(event)
 
   try {
-    // Verify member exists
-    const member = await Member.findById(memberId);
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
-
-    // Find all events where the user is registered
-    // Filter out cancelled events and only show future events
-    const now = new Date();
+    const now = new Date()
 
     const events = await Event.find({
-      "registrations.memberId": memberId,
+      'registrations.memberId': member._id,
       isCancelled: { $ne: true },
       startDate: { $gte: now },
     })
-      .select(
-        "title slug description startDate endDate location featureImage maxAttendees registeredCount",
-      )
+      .select('title slug description startDate endDate location featureImage maxAttendees registeredCount')
       .sort({ startDate: 1 })
-      .limit(10);
-
-    console.log(
-      `Found ${events.length} registered events for member ${memberId}`,
-    );
+      .limit(10)
 
     return {
       events,
       count: events.length,
-    };
+    }
   } catch (error) {
-    console.error("Error fetching member events:", error);
+    console.error('Error fetching member events:', error)
 
     if (error.statusCode) {
-      throw error;
+      throw error
     }
 
     throw createError({
       statusCode: 500,
-      statusMessage: "Failed to fetch registered events",
-    });
+      statusMessage: 'Failed to fetch registered events',
+    })
   }
-});
+})
diff --git a/server/api/members/profile.patch.js b/server/api/members/profile.patch.js
index bd396d6..5e9946a 100644
--- a/server/api/members/profile.patch.js
+++ b/server/api/members/profile.patch.js
@@ -19,6 +19,7 @@ export default defineEventHandler(async (event) => {
     "location",
     "socialLinks",
     "showInDirectory",
+    "notifications",
   ];
 
   // Privacy fields from validated body
@@ -96,6 +97,7 @@ export default defineEventHandler(async (event) => {
       offering: member.offering,
       lookingFor: member.lookingFor,
       showInDirectory: member.showInDirectory,
+      notifications: member.notifications,
     };
   } catch (error) {
     if (error.statusCode) throw error;
diff --git a/server/api/members/update-circle.post.js b/server/api/members/update-circle.post.js
new file mode 100644
index 0000000..c3a685b
--- /dev/null
+++ b/server/api/members/update-circle.post.js
@@ -0,0 +1,34 @@
+// Update member's circle
+import Member from '../../models/member.js'
+import { connectDB } from '../../utils/mongoose.js'
+import { requireAuth } from '../../utils/auth.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const member = await requireAuth(event)
+    await connectDB()
+    const body = await validateBody(event, updateCircleSchema)
+
+    if (member.circle === body.circle) {
+      return { success: true, message: 'Already in this circle' }
+    }
+
+    await Member.findByIdAndUpdate(
+      member._id,
+      { $set: { circle: body.circle } },
+      { runValidators: false }
+    )
+
+    return {
+      success: true,
+      message: `Circle updated to ${body.circle}`,
+    }
+  } catch (error) {
+    if (error.statusCode) throw error
+    console.error('Error updating circle:', error)
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'An unexpected error occurred',
+    })
+  }
+})
diff --git a/server/api/members/update-contribution.post.js b/server/api/members/update-contribution.post.js
index adc7f03..92e76cb 100644
--- a/server/api/members/update-contribution.post.js
+++ b/server/api/members/update-contribution.post.js
@@ -1,48 +1,19 @@
 // Update member's contribution tier
-import jwt from "jsonwebtoken";
 import {
   getHelcimPlanId,
   requiresPayment,
-  isValidContributionValue,
 } from "../../config/contributions.js";
-import Member from "../../models/member.js";
 import { connectDB } from "../../utils/mongoose.js";
+import Member from "../../models/member.js";
 
 const HELCIM_API_BASE = "https://api.helcim.com/v2";
 
 export default defineEventHandler(async (event) => {
   try {
+    const member = await requireAuth(event);
     await connectDB();
     const config = useRuntimeConfig(event);
     const body = await validateBody(event, updateContributionSchema);
-    const token = getCookie(event, "auth-token");
-
-    if (!token) {
-      throw createError({
-        statusCode: 401,
-        statusMessage: "Not authenticated",
-      });
-    }
-
-    // Decode JWT token
-    let decoded;
-    try {
-      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
-    } catch (err) {
-      throw createError({
-        statusCode: 401,
-        statusMessage: "Invalid or expired token",
-      });
-    }
-
-    // Get member
-    const member = await Member.findById(decoded.memberId);
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
 
     const oldTier = member.contributionTier;
     const newTier = body.contributionTier;
@@ -55,8 +26,7 @@ export default defineEventHandler(async (event) => {
       };
     }
 
-    const helcimToken =
-      config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
+    const helcimToken = config.helcimApiToken;
     const oldRequiresPayment = requiresPayment(oldTier);
     const newRequiresPayment = requiresPayment(newTier);
 
@@ -73,8 +43,7 @@ export default defineEventHandler(async (event) => {
       }
 
       // Try to fetch customer info from Helcim to check for saved cards
-      const helcimToken =
-        config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
+      const helcimToken = config.helcimApiToken;
 
       try {
         const customerResponse = await fetch(
@@ -185,11 +154,11 @@ export default defineEventHandler(async (event) => {
         }
 
         // Update member record
-        member.contributionTier = newTier;
-        member.helcimSubscriptionId = subscription.id;
-        member.paymentMethod = "card";
-        member.status = "active";
-        await member.save();
+        await Member.findByIdAndUpdate(
+          member._id,
+          { $set: { contributionTier: newTier, helcimSubscriptionId: subscription.id, paymentMethod: "card", status: "active" } },
+          { runValidators: false }
+        );
 
         return {
           success: true,
@@ -241,10 +210,11 @@ export default defineEventHandler(async (event) => {
       }
 
       // Update member to free tier
-      member.contributionTier = newTier;
-      member.helcimSubscriptionId = null;
-      member.paymentMethod = "none";
-      await member.save();
+      await Member.findByIdAndUpdate(
+        member._id,
+        { $set: { contributionTier: newTier, helcimSubscriptionId: null, paymentMethod: "none" } },
+        { runValidators: false }
+      );
 
       return {
         success: true,
@@ -303,8 +273,11 @@ export default defineEventHandler(async (event) => {
         const subscriptionData = await response.json();
 
         // Update member record
-        member.contributionTier = newTier;
-        await member.save();
+        await Member.findByIdAndUpdate(
+          member._id,
+          { $set: { contributionTier: newTier } },
+          { runValidators: false }
+        );
 
         return {
           success: true,
@@ -321,8 +294,11 @@ export default defineEventHandler(async (event) => {
     }
 
     // Case 4: Moving between free tiers (shouldn't happen but handle it)
-    member.contributionTier = newTier;
-    await member.save();
+    await Member.findByIdAndUpdate(
+      member._id,
+      { $set: { contributionTier: newTier } },
+      { runValidators: false }
+    );
 
     return {
       success: true,
diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
index 71cc91d..7129372 100644
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@@ -18,9 +18,9 @@ export default defineEventHandler((event) => {
       headers['Content-Security-Policy'] = [
         "default-src 'self'",
         "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
-        "style-src 'self' 'unsafe-inline'",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
         "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
-        "font-src 'self'",
+        "font-src 'self' https://fonts.gstatic.com",
         "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
         "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
         "base-uri 'self'",
diff --git a/server/middleware/03.rate-limit.js b/server/middleware/03.rate-limit.js
index 2641598..ac87ef7 100644
--- a/server/middleware/03.rate-limit.js
+++ b/server/middleware/03.rate-limit.js
@@ -35,7 +35,7 @@ function getClientIp(event) {
     || 'unknown'
 }
 
-const AUTH_PATHS = new Set(['/api/auth/login'])
+const AUTH_PATHS = new Set(['/api/auth/login', '/api/auth/verify'])
 const PAYMENT_PREFIXES = ['/api/helcim/']
 const UPLOAD_PATHS = new Set(['/api/upload/image'])
 
diff --git a/server/models/member.js b/server/models/member.js
index e1bf537..3b744db 100644
--- a/server/models/member.js
+++ b/server/models/member.js
@@ -45,7 +45,7 @@ const memberSchema = new mongoose.Schema({
   slackInvited: { type: Boolean, default: false },
   slackInviteStatus: {
     type: String,
-    enum: ["pending", "sent", "failed", "accepted"],
+    enum: ["pending", "sent", "failed", "accepted", "joined"],
     default: "pending",
   },
   slackUserId: String,
@@ -133,9 +133,22 @@ const memberSchema = new mongoose.Schema({
     },
   },
 
+  notifications: {
+    events: { type: Boolean, default: true },
+    updates: { type: Boolean, default: true },
+    peerRequests: { type: Boolean, default: true },
+  },
+
   inviteEmailSent: { type: Boolean, default: false },
   inviteEmailSentAt: Date,
 
+  // Magic link single-use enforcement
+  magicLinkJti: String,
+  magicLinkJtiUsed: { type: Boolean, default: false },
+
+  // Session revocation via token versioning
+  tokenVersion: { type: Number, default: 0 },
+
   createdAt: { type: Date, default: Date.now },
   lastLogin: Date,
 });
diff --git a/server/utils/auth.js b/server/utils/auth.js
index a0cacfc..7398707 100644
--- a/server/utils/auth.js
+++ b/server/utils/auth.js
@@ -44,6 +44,14 @@ export async function requireAuth(event) {
     })
   }
 
+  // Verify session has not been revoked (tokenVersion incremented on logout)
+  if (decoded.tv !== member.tokenVersion) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Session has been revoked'
+    })
+  }
+
   return member
 }