fix: use private helcimApiToken for all server-side Helcim API calls

app/pages/updates/[id]/edit.vue

@@ -0,0 +1,157 @@
+<template>
+  <div>
+    <div class="back-link">
+      <NuxtLink to="/member/my-updates">&larr; Back to My Updates</NuxtLink>
+    </div>
+
+    <div v-if="pending" class="loading">Loading update...</div>
+
+    <template v-else-if="update">
+      <div class="form-header">
+        <h1>Edit Update</h1>
+      </div>
+
+      <form @submit.prevent="handleSubmit" class="update-form">
+        <div class="field">
+          <label class="section-label">Content</label>
+          <textarea
+            v-model="form.content"
+            rows="8"
+            required
+            :disabled="saving"
+          ></textarea>
+          <div class="char-count">{{ form.content.length }} / 50000</div>
+        </div>
+
+        <div class="field">
+          <label class="section-label">Visibility</label>
+          <select v-model="form.privacy" :disabled="saving">
+            <option value="members">Members only</option>
+            <option value="public">Public</option>
+            <option value="private">Private (only you)</option>
+          </select>
+        </div>
+
+        <div class="form-actions">
+          <NuxtLink to="/member/my-updates" class="btn">Cancel</NuxtLink>
+          <button
+            type="submit"
+            class="btn btn-primary"
+            :disabled="saving || !form.content.trim()"
+          >
+            {{ saving ? 'Saving...' : 'Save Changes' }}
+          </button>
+        </div>
+      </form>
+    </template>
+
+    <div v-else class="loading">Update not found.</div>
+  </div>
+</template>
+
+<script setup>
+definePageMeta({ middleware: 'auth' })
+
+const route = useRoute()
+const toast = useToast()
+
+const { data: update, pending } = await useFetch(`/api/updates/${route.params.id}`)
+
+const form = ref({
+  content: update.value?.content || '',
+  privacy: update.value?.privacy || 'members',
+})
+
+watch(update, (val) => {
+  if (val) {
+    form.value.content = val.content || ''
+    form.value.privacy = val.privacy || 'members'
+  }
+})
+
+const saving = ref(false)
+
+const handleSubmit = async () => {
+  saving.value = true
+  try {
+    await $fetch(`/api/updates/${route.params.id}`, {
+      method: 'PATCH',
+      body: { content: form.value.content, privacy: form.value.privacy },
+    })
+    toast.add({ title: 'Update saved!', color: 'green' })
+    navigateTo('/member/my-updates')
+  } catch (err) {
+    toast.add({
+      title: 'Failed to save update',
+      description: err.data?.statusMessage || 'Please try again.',
+      color: 'red',
+    })
+  } finally {
+    saving.value = false
+  }
+}
+
+useHead({ title: 'Edit Update - Ghost Guild' })
+</script>
+
+<style scoped>
+.back-link {
+  padding: 12px 32px;
+  border-bottom: 1px dashed var(--border);
+  font-size: 12px;
+}
+.back-link a { color: var(--candle); text-decoration: none; }
+
+.loading {
+  padding: 48px 32px;
+  font-size: 12px;
+  color: var(--text-dim);
+}
+
+.form-header {
+  padding: 28px 32px 20px;
+  border-bottom: 1px dashed var(--border);
+}
+.form-header h1 {
+  font-family: 'Brygada 1918', serif;
+  font-size: 24px;
+  font-weight: 600;
+  color: var(--text-bright);
+}
+
+.update-form {
+  padding: 24px 32px;
+  max-width: 640px;
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+.field { display: flex; flex-direction: column; gap: 6px; }
+
+textarea, select {
+  font-family: 'Commit Mono', monospace;
+  font-size: 13px;
+  background: var(--surface);
+  border: 1px dashed var(--border);
+  color: var(--text);
+  padding: 10px 12px;
+  resize: vertical;
+  width: 100%;
+}
+textarea:focus, select:focus { outline: none; border-color: var(--candle); }
+textarea:disabled, select:disabled { opacity: 0.6; }
+
+.char-count {
+  font-size: 11px;
+  color: var(--text-faint);
+  text-align: right;
+}
+
+.form-actions {
+  display: flex;
+  gap: 8px;
+  justify-content: flex-end;
+  padding-top: 4px;
+}
+</style>