ContributionAmountField now emits cadence-unit values (180 for $180/yr,
15 for $15/mo). Server endpoints were still multiplying annual by 12,
which would have charged $2160/yr instead of $180/yr after the form
ports in Tasks 2–3.
- helcim/subscription.post.js: recurringAmount = contributionAmount
(no more × 12 for annual)
- members/update-contribution.post.js: same drop in both Case 1
(free→paid) and Case 3 (paid→paid)
- slack.ts notifyNewMember: new positional `cadence` param so the
Slack notification suffix renders /yr or /mo instead of hardcoded
/month; all three call sites updated to pass member.billingCadence
- tests updated to match the new contract:
- helcim-subscription.test.js: annual tests now send the cadence-
unit amount (180, 600) and expect the same recurringAmount
- update-contribution.test.js: annual Case 1 and Case 3 tests
updated likewise
Replaces the per-file inviteToSlack helpers with a single auto-flag
call. Self-serve activation paths now check for pre-existing workspace
membership (silent on miss) instead of attempting an admin-only invite.
- helcim/subscription.post.js: removed local inviteToSlack; both
free- and paid-tier activation branches now call the helper, then
notifyNewMember with the canonical 'manual_invitation_required' arg.
- members/create.post.js: same shape — helper + canonical notify arg.
- invite/accept.post.js (free-tier branch): added the helper call after
member creation. Free-tier had no prior Slack call (audit confirmed);
paid-tier remains untouched and activates via the Helcim webhook.
Admin-created and CSV-imported members intentionally do NOT call the
helper — admins flip the flag manually after sending the invite.
Test stub for autoFlagPreExistingSlackAccess added to server setup.
Adds schema-based input validation across helcim, events, members,
series, admin, and updates API endpoints. Removes the peer-support
debug test endpoint. Adds validation test coverage.
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
passed to new Member(), only validated fields (email, name, circle,
contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)
