refactor(rate-limit): delegate auth limiting to handlers, add dev bypass

Main's middleware-level auth limiter (5 req / 5 min, IP-only) duplicated
the handler-level limiter introduced earlier on this branch (5/hr IP +
3/hr per-email, blocks email enumeration across IPs). Drop the
middleware version and let the handlers own it.

Added ALLOW_DEV_TEST_ENDPOINTS bypass to the rateLimit utility so
parallel E2E runs from 127.0.0.1 don't exhaust per-IP/email budgets,
mirroring the existing middleware bypass.

Trimmed the obsolete middleware auth test; handler-level coverage lives
in tests/server/api/auth-{login,verify}.test.js. Switched IP-isolation
test to the payment path so it still exercises the limiter.

app/assets/css/main.css

@@ -273,6 +273,14 @@ p a, blockquote a {
   min-width: 0;
 }
 
+/* ---- Nuxt UI placeholder contrast ----
+   Default Nuxt UI placeholder uses `text-dimmed` (#a6a09b) which fails WCAG
+   AA on cream and white backgrounds (≈2.4:1). Override globally to --text-dim
+   so USelect/USelectMenu placeholders meet the 4.5:1 ratio. */
+[data-slot="placeholder"] {
+  color: var(--text-dim);
+}
+
 /* ---- SHARED USelectMenu STYLES ----
    Apply via: <USelectMenu class="zine-select" :ui="{ content: 'tz-content', item: 'tz-item', input: 'tz-input' }" />
    Classes are global (not scoped) because Nuxt UI portals the popup content to body. */

app/pages/index.vue

@@ -131,12 +131,10 @@ const DEFAULT_WIKI_FEATURE_TITLE = "What is a cooperative studio?";
 
 const { data: wikiFeature } = await useFetch(
   "/api/site-content/homepage.wiki_feature",
-  { default: () => ({ title: "", body: "" }) }
+  { default: () => ({ title: "", body: "" }) },
 );
 
-const hasCustomWikiFeature = computed(
-  () => !!wikiFeature.value?.body?.trim()
-);
+const hasCustomWikiFeature = computed(() => !!wikiFeature.value?.body?.trim());
 
 const customWikiParagraphs = computed(() => {
   const body = wikiFeature.value?.body?.trim() || "";
@@ -166,7 +164,7 @@ const circleData = [
     label: "Practitioner",
     metaphor: "The alcove",
     blurb:
-      "Where experience is shared and knowledge given back. You're here to teach, advise, mentor, and help shape the program itself. Alumni welcome.",
+      "Where experience is shared and knowledge given back. You're here to support newcomers, help shape the Cooperative Foundations program, and find peers.",
   },
 ];
 

app/pages/join.vue

@@ -64,26 +64,37 @@
         <!-- Left: Monthly Contribution -->
         <div class="join-col">
           <div class="section-label" style="margin-bottom: 12px">
-            {{ cadence === 'annual' ? 'Annual Contribution' : 'Monthly Contribution' }}
+            {{
+              cadence === "annual"
+                ? "Annual Contribution"
+                : "Monthly Contribution"
+            }}
           </div>
           <h2>Pay what you can</h2>
           <ul class="tier-list">
             <li><span class="tier-amt">$0</span> I need support right now</li>
-            <li><span class="tier-amt">{{ formatContributionAmount(5) }}</span> I can contribute</li>
             <li>
-              <span class="tier-amt">{{ formatContributionAmount(15) }}</span> I can sustain the community
-              (suggested)
+              <span class="tier-amt">{{ formatContributionAmount(5) }}</span> I
+              can contribute
             </li>
-            <li><span class="tier-amt">{{ formatContributionAmount(30) }}</span> I can support others too</li>
             <li>
-              <span class="tier-amt">{{ formatContributionAmount(50) }}</span> I want to sponsor multiple
-              members
+              <span class="tier-amt">{{ formatContributionAmount(15) }}</span> I
+              can sustain the community (suggested)
+            </li>
+            <li>
+              <span class="tier-amt">{{ formatContributionAmount(30) }}</span> I
+              can support others too
+            </li>
+            <li>
+              <span class="tier-amt">{{ formatContributionAmount(50) }}</span> I
+              want to sponsor multiple members
             </li>
           </ul>
           <p class="charity-note">
-            Baby Ghosts Studio Development Fund is a registered Canadian charity.
-            Members who file Canadian taxes can claim their contributions.
-            We'll help you set up tax receipts once you've joined.
+            Baby Ghosts Studio Development Fund is a registered Canadian
+            charity. Members who file Canadian taxes can claim their
+            contributions. We'll help you set up tax receipts once you've
+            joined.
           </p>
           <p class="solidarity-note">
             Pay what you can. If you can pay more, you're making room for
@@ -118,7 +129,7 @@
                   type="text"
                   placeholder="Your name"
                   required
-                >
+                />
               </div>
               <div class="form-group">
                 <label class="form-label" for="join-email">Email Address</label>
@@ -129,7 +140,7 @@
                   type="email"
                   placeholder="you@example.com"
                   required
-                >
+                />
               </div>
               <div class="form-group">
                 <label class="form-label">Circle</label>
@@ -141,7 +152,7 @@
                       type="radio"
                       name="circle"
                       value="community"
-                    >
+                    />
                     <label for="circle-community">
                       <span
                         class="circle-label-name"
@@ -158,7 +169,7 @@
                       type="radio"
                       name="circle"
                       value="founder"
-                    >
+                    />
                     <label for="circle-founder">
                       <span
                         class="circle-label-name"
@@ -175,7 +186,7 @@
                       type="radio"
                       name="circle"
                       value="practitioner"
-                    >
+                    />
                     <label for="circle-practitioner">
                       <span
                         class="circle-label-name"
@@ -197,7 +208,7 @@
                       type="radio"
                       name="cadence"
                       value="monthly"
-                    >
+                    />
                     <label for="cadence-monthly">
                       <span class="circle-label-name">Per Month</span>
                     </label>
@@ -209,7 +220,7 @@
                       type="radio"
                       name="cadence"
                       value="annual"
-                    >
+                    />
                     <label for="cadence-annual">
                       <span class="circle-label-name">Per Year</span>
                     </label>
@@ -230,9 +241,13 @@
                     step="1"
                     inputmode="numeric"
                     class="contribution-input"
-                  >
+                  />
                 </div>
-                <div class="contribution-presets" role="group" aria-label="Suggested amounts">
+                <div
+                  class="contribution-presets"
+                  role="group"
+                  aria-label="Suggested amounts"
+                >
                   <button
                     v-for="preset in CONTRIBUTION_PRESETS"
                     :key="preset.amount"
@@ -243,24 +258,30 @@
                     ${{ preset.amount }}
                   </button>
                 </div>
-                <p v-if="guidanceLabel" class="contribution-guidance">{{ guidanceLabel }}</p>
+                <p v-if="guidanceLabel" class="contribution-guidance">
+                  {{ guidanceLabel }}
+                </p>
               </div>
               <div v-if="form.contributionAmount > 0" class="form-group">
                 <div class="billing-summary">
                   <p class="billing-summary-line">
-                    You'll be charged <strong>${{ firstCharge }} today</strong><span v-if="cadence === 'annual'"> (${{ form.contributionAmount }}/month &times; 12)</span>.
+                    You'll be charged <strong>${{ firstCharge }} today</strong
+                    ><span v-if="cadence === 'annual'">
+                      (${{ form.contributionAmount }}/month &times; 12)</span
+                    >.
                   </p>
                   <p class="billing-summary-line">
-                    Then <strong>${{ firstCharge }} every {{ cadence === 'annual' ? 'year' : 'month' }}</strong>, until you cancel.
+                    Then
+                    <strong
+                      >${{ firstCharge }} every
+                      {{ cadence === "annual" ? "year" : "month" }}</strong
+                    >, until you cancel.
                   </p>
                 </div>
               </div>
               <div class="form-group full-width">
                 <label class="checkbox-label">
-                  <input
-                    v-model="form.agreedToGuidelines"
-                    type="checkbox"
-                  >
+                  <input v-model="form.agreedToGuidelines" type="checkbox" />
                   <span>
                     I agree to the Ghost Guild
                     <NuxtLink to="/community-guidelines" target="_blank"
@@ -338,12 +359,11 @@
           <h2>Practicing</h2>
           <p>
             For those already running cooperative studios or with deep
-            experience in cooperative practice. You are here to teach, advise,
-            mentor, and help shape the program itself. Alumni.
+            experience in cooperative practice. You're here to support newcomers
+            and help shape the Cooperative Foundations program.
           </p>
         </div>
       </div>
-
     </template>
 
     <!-- Flow overlay: covers the page from form submit through redirect.
@@ -434,7 +454,8 @@ const isFormValid = computed(() => {
     form.name &&
     form.email &&
     form.circle &&
-    Number.isInteger(form.contributionAmount) && form.contributionAmount >= 0 &&
+    Number.isInteger(form.contributionAmount) &&
+    form.contributionAmount >= 0 &&
     form.agreedToGuidelines
   );
 });
@@ -830,7 +851,7 @@ onUnmounted(() => {
   padding: 0.5rem 0.75rem;
   background: var(--input-bg);
   border: 1px solid var(--parch);
-  font-family: 'Commit Mono', monospace;
+  font-family: "Commit Mono", monospace;
   font-size: 1rem;
 }
 .contribution-input:focus {
@@ -847,7 +868,7 @@ onUnmounted(() => {
   padding: 0.25rem 0.75rem;
   background: transparent;
   border: 1px dashed var(--parch);
-  font-family: 'Commit Mono', monospace;
+  font-family: "Commit Mono", monospace;
   font-size: 0.875rem;
   cursor: pointer;
 }
@@ -1017,6 +1038,7 @@ onUnmounted(() => {
 .checkbox-label a,
 .checkbox-label :deep(a) {
   color: var(--candle);
+  text-decoration: underline;
 }
 
 /* ---- ERROR & SUCCESS BOXES ---- */
@@ -1126,5 +1148,4 @@ onUnmounted(() => {
     align-items: stretch;
   }
 }
-
 </style>

app/pages/member/profile.vue

@@ -712,10 +712,6 @@ useHead({
 
 .posts-empty-link {
   color: var(--candle);
-  text-decoration: none;
-}
-
-.posts-empty-link:hover {
   text-decoration: underline;
 }
 

e2e/admin-board-channels.spec.js

@@ -11,6 +11,7 @@ test.describe('Admin board channels page', () => {
 
   test('create, edit, and delete a channel', async ({ adminPage }) => {
     await adminPage.goto('/admin/board-channels')
+    await adminPage.waitForLoadState('networkidle')
     await expect(adminPage.getByRole('heading', { name: 'Board Channels' })).toBeVisible({
       timeout: 15000,
     })
@@ -18,14 +19,14 @@ test.describe('Admin board channels page', () => {
     const suffix = Date.now().toString().slice(-6)
     const channelName = `e2e-channel-${suffix}`
     const editedName = `e2e-channel-${suffix}-edited`
-    const slackId = `C${suffix}XYZ`
 
     // --- Create ---
+    // Create flow only takes a name; the Slack channel ID is auto-assigned on
+    // creation and only becomes editable in the Edit modal.
     await adminPage.getByRole('button', { name: '+ New Channel' }).click()
     await expect(adminPage.getByRole('heading', { name: 'New Channel' })).toBeVisible()
 
-    await adminPage.locator('input[placeholder="e.g., #coop-formation"]').fill(channelName)
-    await adminPage.locator('input[placeholder="C0123456789"]').fill(slackId)
+    await adminPage.locator('input[placeholder="e.g., coop-formation"]').fill(channelName)
 
     // Select the first available cooperative tag if any are present
     const firstTagCheckbox = adminPage.locator('.tag-select input[type="checkbox"]').first()
@@ -44,7 +45,7 @@ test.describe('Admin board channels page', () => {
     await row.getByRole('button', { name: 'Edit' }).click()
 
     await expect(adminPage.getByRole('heading', { name: 'Edit Channel' })).toBeVisible()
-    const nameInput = adminPage.locator('input[placeholder="e.g., #coop-formation"]')
+    const nameInput = adminPage.locator('input[placeholder="e.g., coop-formation"]')
     await nameInput.fill(editedName)
     await adminPage.getByRole('button', { name: 'Save Changes' }).click()
 

e2e/auth.spec.js

@@ -44,6 +44,7 @@ test.describe('Authentication flows', () => {
   test('logout clears auth', async ({ page }) => {
     await loginAsAdmin(page)
     await page.goto('/admin')
+    await page.waitForLoadState('networkidle')
     await expect(page.locator('.admin-tag')).toBeVisible({ timeout: 15000 })
 
     // Set up response listener BEFORE clicking to avoid race

e2e/board.spec.js

@@ -9,6 +9,7 @@ test.describe('Board page', () => {
 
   test('clicking New Post reveals the form', async ({ memberPage }) => {
     await memberPage.goto('/board')
+    await memberPage.waitForLoadState('networkidle')
     await expect(memberPage.getByRole('button', { name: '+ New Post' }).first()).toBeVisible({
       timeout: 15000,
     })
@@ -40,6 +41,7 @@ test.describe('Board page', () => {
 
   test('create, edit, and delete own post', async ({ memberPage }) => {
     await memberPage.goto('/board')
+    await memberPage.waitForLoadState('networkidle')
     await expect(memberPage.getByRole('button', { name: '+ New Post' }).first()).toBeVisible({
       timeout: 15000,
     })
@@ -55,7 +57,7 @@ test.describe('Board page', () => {
     await memberPage.locator('#post-title').fill(originalTitle)
     await memberPage.locator('#post-seeking').fill('Playwright test seeking text')
 
-    await memberPage.getByRole('button', { name: 'Post' }).click()
+    await memberPage.getByRole('button', { name: 'Post', exact: true }).click()
 
     await expect(memberPage.getByRole('heading', { name: originalTitle })).toBeVisible({
       timeout: 10000,
@@ -75,10 +77,10 @@ test.describe('Board page', () => {
       timeout: 10000,
     })
 
-    // --- Delete (confirm dialog) ---
-    memberPage.once('dialog', (dialog) => dialog.accept())
+    // --- Delete (in-card two-step confirm; not a native dialog) ---
     const editedCard = memberPage.locator('article.board-post', { hasText: editedTitle })
     await editedCard.getByRole('button', { name: 'Delete' }).click()
+    await editedCard.getByRole('button', { name: 'Confirm' }).click()
 
     await expect(memberPage.getByRole('heading', { name: editedTitle })).not.toBeVisible({
       timeout: 10000,

e2e/join-flow.spec.js

@@ -68,8 +68,12 @@ test.describe('Join page — member signup flow', () => {
     await page.locator('#join-name').fill('Test User')
     await expect(page.locator('.form-submit')).toBeDisabled()
 
-    // Fill email too — now all fields are populated and button should be enabled
+    // Fill email — agreement still unchecked, so still disabled
     await page.locator('#join-email').fill('incomplete-test@example.com')
+    await expect(page.locator('.form-submit')).toBeDisabled()
+
+    // Check the Community Guidelines agreement — now all required fields satisfied
+    await page.getByRole('checkbox', { name: /Community Guidelines/ }).check()
     await expect(page.locator('.form-submit')).toBeEnabled()
   })
 
@@ -83,8 +87,9 @@ test.describe('Join page — member signup flow', () => {
     await page.locator('#join-name').fill('E2E Test User')
     await page.locator('#join-email').fill(uniqueEmail)
     await page.locator('#circle-community').check({ force: true })
-    await page.locator('#join-contribution').click()
-    await page.getByRole('option', { name: '$0/mo' }).click()
+    // Contribution is now a numeric input with preset chips, not a select
+    await page.locator('#join-contribution').fill('0')
+    await page.getByRole('checkbox', { name: /Community Guidelines/ }).check()
 
     await expect(page.locator('.form-submit')).toBeEnabled()
 
@@ -93,8 +98,10 @@ test.describe('Join page — member signup flow', () => {
 
     await page.locator('.form-submit').click()
 
-    // Free tier creates subscription then shows confirmation (step 3)
-    await expect(page.locator('.success-box')).toBeVisible({ timeout: 15000 })
+    // Free tier flips the SignupFlowOverlay into its success state
+    await expect(
+      page.getByRole('heading', { name: 'Welcome to Ghost Guild!' })
+    ).toBeVisible({ timeout: 15000 })
   })
 
   test('duplicate email shows error', async ({ page }) => {
@@ -109,12 +116,13 @@ test.describe('Join page — member signup flow', () => {
     await page.locator('#join-name').fill('Dup Test User')
     await page.locator('#join-email').fill(duplicateEmail)
     await page.locator('#circle-community').check({ force: true })
-    await page.locator('#join-contribution').click()
-    await page.getByRole('option', { name: '$0/mo' }).click()
+    await page.locator('#join-contribution').fill('0')
+    await page.getByRole('checkbox', { name: /Community Guidelines/ }).check()
     await page.locator('.form-submit').click()
 
-    // Should show an error about the email already existing
-    await expect(page.locator('.error-box')).toBeVisible({ timeout: 10000 })
-    await expect(page.locator('.error-box')).toContainText(/already/i)
+    // Helcim 409 puts SignupFlowOverlay into its error state
+    const overlayError = page.locator('.signup-flow-overlay .error-box')
+    await expect(overlayError).toBeVisible({ timeout: 10000 })
+    await expect(overlayError).toContainText(/already/i)
   })
 })

e2e/member-profile.spec.js

@@ -3,9 +3,11 @@ import { test, expect } from './helpers/fixtures.js'
 test.describe('Member profile page', () => {
   test('profile page loads', async ({ adminPage }) => {
     await adminPage.goto('/member/profile')
+    await adminPage.waitForLoadState('networkidle')
     // Auth is checked client-side in onMounted — wait for profile form to render
     await expect(adminPage.getByText('Edit Profile')).toBeVisible({ timeout: 15000 })
-    await expect(adminPage.getByText('How you appear to other members')).toBeVisible()
+    // Verify a stable structural section label, not transient marketing copy
+    await expect(adminPage.getByText('Show in Member Directory')).toBeVisible()
   })
 
   test('form fields are present', async ({ adminPage }) => {
@@ -24,6 +26,7 @@ test.describe('Member profile page', () => {
 
   test('bio field accepts input', async ({ adminPage }) => {
     await adminPage.goto('/member/profile')
+    await adminPage.waitForLoadState('networkidle')
     await expect(adminPage.getByText('Edit Profile')).toBeVisible({ timeout: 15000 })
 
     const bio = adminPage.locator('textarea[placeholder*="Share your background"]')

server/middleware/03.rate-limit.js

@@ -1,12 +1,5 @@
 import { RateLimiterMemory } from 'rate-limiter-flexible'
 
-// Strict rate limit for auth endpoints
-const authLimiter = new RateLimiterMemory({
-  points: 5,     // 5 requests
-  duration: 300, // per 5 minutes
-  keyPrefix: 'rl_auth'
-})
-
 // Moderate rate limit for payment endpoints
 const paymentLimiter = new RateLimiterMemory({
   points: 10,
@@ -35,7 +28,6 @@ function getClientIp(event) {
     || 'unknown'
 }
 
-const AUTH_PATHS = new Set(['/api/auth/login', '/api/auth/verify'])
 const PAYMENT_PREFIXES = ['/api/helcim/']
 const UPLOAD_PATHS = new Set(['/api/upload/image'])
 
@@ -43,12 +35,15 @@ export default defineEventHandler(async (event) => {
   const path = getRequestURL(event).pathname
   if (!path.startsWith('/api/')) return
 
+  // Bypass rate limiting in test/dev opt-in mode so parallel E2E runs from a
+  // single IP (127.0.0.1) do not exhaust the per-IP budget. Mirrors the gate
+  // used by /api/dev/* endpoints — only set in development and by Playwright.
+  if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return
+
   const ip = getClientIp(event)
 
   try {
-    if (AUTH_PATHS.has(path)) {
-      await authLimiter.consume(ip)
-    } else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
+    if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
       await paymentLimiter.consume(ip)
     } else if (UPLOAD_PATHS.has(path)) {
       await uploadLimiter.consume(ip)

server/utils/rateLimit.js

@@ -4,6 +4,11 @@
 const buckets = new Map()
 
 export function rateLimit(key, { max, windowMs }) {
+  // Bypass in test/dev opt-in mode so parallel E2E runs from a single IP
+  // (127.0.0.1) don't exhaust per-IP/email budgets. Mirrors the gate used by
+  // /api/dev/* endpoints and server/middleware/03.rate-limit.js.
+  if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return true
+
   const now = Date.now()
 
   // Probabilistic sweep: ~1% of calls evict keys whose newest entry has fully

tests/server/middleware/rate-limit.test.js

@@ -18,35 +18,6 @@ describe('rate-limit middleware', () => {
     })
   })
 
-  describe('auth endpoint limiting (5 per 5 min)', () => {
-    it('allows 5 requests then blocks the 6th', async () => {
-      const ip = '10.0.1.1'
-
-      // First 5 should succeed
-      for (let i = 0; i < 5; i++) {
-        const event = createMockEvent({
-          method: 'POST',
-          path: '/api/auth/login',
-          remoteAddress: ip
-        })
-        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-      }
-
-      // 6th should be rate limited
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/auth/login',
-        remoteAddress: ip
-      })
-      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
-        statusCode: 429
-      })
-
-      // Check Retry-After header was set
-      expect(event._testSetHeaders['retry-after']).toBeDefined()
-    })
-  })
-
   describe('payment endpoint limiting (10 per min)', () => {
     it('allows 10 requests then blocks the 11th', async () => {
       const ip = '10.0.2.1'
@@ -68,16 +39,19 @@ describe('rate-limit middleware', () => {
       await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
         statusCode: 429
       })
+
+      // Check Retry-After header was set
+      expect(event._testSetHeaders['retry-after']).toBeDefined()
     })
   })
 
   describe('IP isolation', () => {
     it('different IPs have separate rate limit counters', async () => {
-      // Exhaust limit for IP A
-      for (let i = 0; i < 5; i++) {
+      // Exhaust payment limit for IP A
+      for (let i = 0; i < 10; i++) {
         const event = createMockEvent({
           method: 'POST',
-          path: '/api/auth/login',
+          path: '/api/helcim/initialize-payment',
           remoteAddress: '10.0.3.1'
         })
         await rateLimitMiddleware(event)
@@ -86,7 +60,7 @@ describe('rate-limit middleware', () => {
       // IP B should still be able to make requests
       const event = createMockEvent({
         method: 'POST',
-        path: '/api/auth/login',
+        path: '/api/helcim/initialize-payment',
         remoteAddress: '10.0.3.2'
       })
       await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()