diff --git a/.env.example b/.env.example
index 5a02892..28109ca 100644
--- a/.env.example
+++ b/.env.example
@@ -20,4 +20,9 @@ SLACK_OAUTH_TOKEN=your-slack-oauth-token
 JWT_SECRET=your-jwt-secret-key-change-this-in-production
 
 # Application URLs
-APP_URL=http://localhost:3000
\ No newline at end of file
+APP_URL=http://localhost:3000
+
+# OIDC Provider (for Outline Wiki SSO)
+OIDC_CLIENT_ID=outline-wiki
+OIDC_CLIENT_SECRET=<generate-with-openssl-rand-hex-32>
+OIDC_COOKIE_SECRET=<generate-with-openssl-rand-hex-32>
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 400f35a..a3170a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,10 +17,10 @@ logs
 .DS_Store
 .fleet
 .idea
+docs/*
 
 # Local env files
 .env
 .env.*
 !.env.example
-/docs/
 scripts/*.js
diff --git a/app/components/AppNavigation.vue b/app/components/AppNavigation.vue
index bdbb47d..b32ed17 100644
--- a/app/components/AppNavigation.vue
+++ b/app/components/AppNavigation.vue
@@ -211,9 +211,7 @@ const handleLogin = async () => {
   } catch (err) {
     console.error("Login error:", err);
 
-    if (err.statusCode === 404) {
-      loginError.value = "No account found";
-    } else if (err.statusCode === 500) {
+    if (err.statusCode === 500) {
       loginError.value = "Failed to send email";
     } else {
       loginError.value = "Something went wrong";
diff --git a/app/components/LoginModal.vue b/app/components/LoginModal.vue
index 543a936..a826505 100644
--- a/app/components/LoginModal.vue
+++ b/app/components/LoginModal.vue
@@ -167,9 +167,7 @@ const handleLogin = async () => {
   } catch (err) {
     console.error('Login error:', err)
 
-    if (err.statusCode === 404) {
-      loginError.value = 'No account found with that email. Please check your email or join Ghost Guild.'
-    } else if (err.statusCode === 500) {
+    if (err.statusCode === 500) {
       loginError.value = 'Failed to send login email. Please try again later.'
     } else {
       loginError.value = err.statusMessage || 'Something went wrong. Please try again.'
diff --git a/app/composables/useMarkdown.js b/app/composables/useMarkdown.js
index 9794192..b66430b 100644
--- a/app/composables/useMarkdown.js
+++ b/app/composables/useMarkdown.js
@@ -1,12 +1,29 @@
 import { marked } from 'marked'
+import DOMPurify from 'isomorphic-dompurify'
+
+const ALLOWED_TAGS = [
+  'a', 'strong', 'em', 'b', 'i', 'u',
+  'ul', 'ol', 'li', 'p', 'br',
+  'code', 'pre', 'blockquote',
+  'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+  'hr', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
+  'del', 'sup', 'sub'
+]
+
+const ALLOWED_ATTR = ['href', 'target', 'rel', 'class']
 
 export const useMarkdown = () => {
   const render = (markdown) => {
     if (!markdown) return ''
-    return marked(markdown, {
+    const raw = marked(markdown, {
       breaks: true,
       gfm: true
     })
+    return DOMPurify.sanitize(raw, {
+      ALLOWED_TAGS,
+      ALLOWED_ATTR,
+      ALLOW_DATA_ATTR: false
+    })
   }
 
   return {
diff --git a/app/middleware/admin.js b/app/middleware/admin.js
index 2c643a7..cf2d155 100644
--- a/app/middleware/admin.js
+++ b/app/middleware/admin.js
@@ -1,18 +1,17 @@
-export default defineNuxtRouteMiddleware((to) => {
-  // Skip middleware in server-side rendering to avoid errors
+export default defineNuxtRouteMiddleware(async (to) => {
   if (process.server) return
-  
-  // TODO: Temporarily disabled for testing - enable when authentication is set up
-  // Check if user is authenticated (you'll need to implement proper auth state)
-  // const isAuthenticated = useCookie('auth-token').value
-  
-  // if (!isAuthenticated) {
-  //   throw createError({
-  //     statusCode: 401,
-  //     statusMessage: 'Authentication required'
-  //   })
-  // }
-  
-  // TODO: Add proper role-based authorization
-  // For now, we assume anyone with a valid token is an admin
-})
\ No newline at end of file
+
+  const { isAuthenticated, memberData, checkMemberStatus } = useAuth()
+
+  if (!isAuthenticated.value) {
+    await checkMemberStatus()
+  }
+
+  if (!isAuthenticated.value) {
+    return navigateTo('/')
+  }
+
+  if (memberData.value?.role !== 'admin') {
+    return navigateTo('/members')
+  }
+})
diff --git a/app/pages/oidc/login.vue b/app/pages/oidc/login.vue
new file mode 100644
index 0000000..c224c11
--- /dev/null
+++ b/app/pages/oidc/login.vue
@@ -0,0 +1,96 @@
+<script setup lang="ts">
+definePageMeta({
+  layout: false,
+});
+
+const route = useRoute();
+const uid = route.query.uid as string;
+
+const email = ref("");
+const sent = ref(false);
+const loading = ref(false);
+const error = ref("");
+
+async function sendMagicLink() {
+  if (!email.value || !uid) return;
+  loading.value = true;
+  error.value = "";
+
+  try {
+    await $fetch("/oidc/interaction/login", {
+      method: "POST",
+      body: { email: email.value, uid },
+    });
+    sent.value = true;
+  } catch (e: any) {
+    error.value = e?.data?.statusMessage || "Something went wrong. Please try again.";
+  } finally {
+    loading.value = false;
+  }
+}
+</script>
+
+<template>
+  <div class="min-h-screen flex items-center justify-center bg-gray-50 px-4">
+    <div class="w-full max-w-sm">
+      <div class="bg-white rounded-lg shadow-md p-8">
+        <div class="text-center mb-6">
+          <h1 class="text-2xl font-bold text-gray-900">Ghost Guild Wiki</h1>
+          <p class="mt-2 text-sm text-gray-600">
+            Sign in with your Ghost Guild account
+          </p>
+        </div>
+
+        <template v-if="!sent">
+          <form @submit.prevent="sendMagicLink" class="space-y-4">
+            <div>
+              <label for="email" class="block text-sm font-medium text-gray-700 mb-1">
+                Email address
+              </label>
+              <input
+                id="email"
+                v-model="email"
+                type="email"
+                required
+                placeholder="you@example.com"
+                class="w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm focus:ring-2 focus:ring-blue-500 focus:border-blue-500 text-sm"
+                :disabled="loading"
+              />
+            </div>
+
+            <p v-if="error" class="text-sm text-red-600">{{ error }}</p>
+
+            <button
+              type="submit"
+              :disabled="loading || !email"
+              class="w-full py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed"
+            >
+              {{ loading ? "Sending..." : "Send magic link" }}
+            </button>
+          </form>
+
+          <p class="mt-4 text-xs text-center text-gray-500">
+            We'll send a sign-in link to your email.
+          </p>
+        </template>
+
+        <template v-else>
+          <div class="text-center space-y-3">
+            <div class="text-4xl">✉️</div>
+            <h2 class="text-lg font-semibold text-gray-900">Check your email</h2>
+            <p class="text-sm text-gray-600">
+              We sent a sign-in link to <strong>{{ email }}</strong>.
+              Click the link in the email to continue.
+            </p>
+            <button
+              @click="sent = false; email = '';"
+              class="mt-4 text-sm text-blue-600 hover:text-blue-800"
+            >
+              Use a different email
+            </button>
+          </div>
+        </template>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/app/plugins/csrf.client.js b/app/plugins/csrf.client.js
new file mode 100644
index 0000000..e5743bc
--- /dev/null
+++ b/app/plugins/csrf.client.js
@@ -0,0 +1,23 @@
+export default defineNuxtPlugin(() => {
+  const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS'])
+
+  globalThis.$fetch = globalThis.$fetch.create({
+    onRequest({ options }) {
+      const method = (options.method || 'GET').toUpperCase()
+      if (safeMethods.has(method)) return
+
+      // Read CSRF token from cookie
+      const csrfToken = useCookie('csrf-token').value
+      if (csrfToken) {
+        options.headers = options.headers || {}
+        if (options.headers instanceof Headers) {
+          options.headers.set('x-csrf-token', csrfToken)
+        } else if (Array.isArray(options.headers)) {
+          options.headers.push(['x-csrf-token', csrfToken])
+        } else {
+          options.headers['x-csrf-token'] = csrfToken
+        }
+      }
+    }
+  })
+})
diff --git a/docs/SECURITY_EVALUATION.md b/docs/SECURITY_EVALUATION.md
new file mode 100644
index 0000000..b337246
--- /dev/null
+++ b/docs/SECURITY_EVALUATION.md
@@ -0,0 +1,282 @@
+# Ghost Guild Security Evaluation
+
+**Date:** 2026-02-28 (updated 2026-03-01)
+**Framework:** OWASP ASVS v4.0, Level 1
+**Scope:** Full application stack (Nuxt 4 + Nitro server + MongoDB)
+
+---
+
+## Framework Rationale
+
+Ghost Guild handles payments (Helcim), PII, and user-generated content. We evaluated four frameworks before selecting ASVS:
+
+| Framework | Why Not |
+|---|---|
+| PCI-DSS | Too narrow -- only covers payment surface, misses auth/XSS/access control |
+| NIST CSF / ISO 27001 | Organizational frameworks, not application-level |
+| OWASP Top 10 | Too coarse -- categories without testable requirements |
+| **OWASP ASVS L1** | **Selected** -- purpose-built for web apps, testable pass/fail criteria across 14 chapters |
+
+ASVS Level 1 targets "all software" and is achievable for a small team.
+
+---
+
+## Findings
+
+### Severity Summary
+
+| Severity | Count | Key Areas |
+|----------|-------|-----------|
+| CRITICAL | 5 | Admin auth disabled, payment verification stub, XSS (markdown + emails), cookie flags |
+| HIGH | 9 | No rate limiting, no CSRF, JWT secret fallback, unauthenticated endpoints, mass assignment |
+| MEDIUM | 5 | Long-lived tokens, Slack secrets unused, devtools, data logging, regex injection |
+| LOW | 2 | User enumeration, email format validation |
+
+---
+
+### CRITICAL
+
+#### C1. Admin endpoints completely unprotected
+- **ASVS:** V4.1.1 (Trusted enforcement)
+- **Files:** All routes under `server/api/admin/`
+- **Evidence:** Auth code is commented out with `// TODO: Temporarily disabled auth for testing`. Anyone can list all members, create/delete events, and view revenue dashboard. The Member model has no `role` or `isAdmin` field.
+
+#### C2. Payment verification is a stub
+- **ASVS:** V10.2.1 (Business logic integrity)
+- **File:** `server/api/helcim/verify-payment.post.js`
+- **Evidence:** Returns `{ success: true, cardToken: body.cardToken }` without calling the Helcim API.
+
+#### C3. XSS via unsanitized markdown
+- **ASVS:** V5.3.3 (Output encoding for HTML)
+- **Files:** `app/composables/useMarkdown.js`, `app/pages/members.vue:247`
+- **Evidence:** `marked()` output rendered via `v-html` with no DOMPurify.
+
+#### C4. XSS in email templates
+- **ASVS:** V5.2.6 (Server-side injection)
+- **File:** `server/utils/resend.js` (11+ interpolation points)
+- **Evidence:** User-supplied values interpolated directly into HTML email bodies.
+
+#### C5. Session cookie allows JavaScript access
+- **ASVS:** V3.2.1 (Cookie attributes)
+- **File:** `server/api/auth/verify.get.js:40-45`
+- **Evidence:** `httpOnly: false, secure: false`. Session token accessible to any JavaScript.
+
+---
+
+### HIGH
+
+#### H1. No rate limiting on any endpoint
+- **ASVS:** V13.2.5
+- **Evidence:** No rate limiting middleware anywhere. Login, registration, uploads, and payment endpoints are unlimited.
+
+#### H2. No CSRF protection
+- **ASVS:** V3.5.2
+- **Evidence:** No CSRF tokens, double-submit cookies, or CSRF middleware.
+
+#### H3. Hardcoded JWT fallback secret
+- **ASVS:** V6.4.1 (Key management)
+- **File:** `nuxt.config.ts:17`
+- **Evidence:** `jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production'`
+
+#### H4. File upload endpoint unauthenticated
+- **ASVS:** V4.1.3
+- **File:** `server/api/upload/image.post.js`
+- **Evidence:** No auth check. Anyone can upload images.
+
+#### H5. Helcim payment endpoints mostly unauthenticated
+- **ASVS:** V4.1.1
+- **Files:** `verify-payment.post.js`, `initialize-payment.post.js`, `update-billing.post.js`, `subscription.post.js`
+
+#### H6. Mass assignment: helcimCustomerId in allowedFields
+- **ASVS:** V5.1.3
+- **File:** `server/api/members/profile.patch.js:40`
+- **Evidence:** A member can change their own Helcim customer ID.
+
+#### H7. No input validation
+- **ASVS:** V5.1.3
+- **Evidence:** Zod is installed but has zero imports. All validation is ad-hoc.
+
+#### H8. User enumeration on login
+- **ASVS:** V2.1.7
+- **File:** `server/api/auth/login.post.js:24-28`
+- **Evidence:** Returns 404 "No account found" vs success.
+
+#### H9. No security headers
+- **ASVS:** V9.1.1
+- **Evidence:** No CSP, HSTS, X-Frame-Options, or X-Content-Type-Options.
+
+---
+
+### MEDIUM
+
+| ID | ASVS | Finding | File |
+|----|------|---------|------|
+| M1 | V2.5.2 | 30-day static session token, no rotation | `verify.get.js:36` |
+| M2 | V10.2.2 | Slack signing secret defined but never used | `nuxt.config.ts:21` |
+| M3 | V7.4.1 | DevTools enabled unconditionally | `nuxt.config.ts:4` |
+| M4 | V7.1.1 | Console logging of payment data and API token substrings | `helcim/customer.post.js:42` |
+| M5 | V5.3.4 | Unescaped regex in directory search | `members/directory.get.js:49-51` |
+
+### LOW
+
+| ID | ASVS | Finding | File |
+|----|------|---------|------|
+| L1 | V2.1.7 | Timing-based enumeration via DB lookup | `auth/login.post.js` |
+| L2 | V5.1.3 | No email format validation on login | `auth/login.post.js:15` |
+
+---
+
+## Future Feature Risk Assessment
+
+| Planned Feature | Risk | Must Address First |
+|---|---|---|
+| Rich text member updates | Same XSS pattern as C3 | Fix markdown sanitization (C3) |
+| Resource library with downloads | Unauthenticated upload (H4), malware distribution | Add upload auth (H4), file validation |
+| Etherpad integration | External content rendered unsanitized | Build sanitization utility (C3) |
+| Cal.com integration | API credential exposure | Fix secret management (H3) |
+| Member-proposed events | No admin role model, no approval workflow | Build RBAC (C1) |
+| Advanced search/analytics | Regex injection (M5), privacy leakage | Fix regex escaping (M5) |
+
+---
+
+## Remediation Summary (Phases 0-1 + partial Phase 2)
+
+All work lives on branch `security/asvs-remediation`.
+
+### Auth guards (`server/utils/auth.js`)
+- `requireAuth(event)` -- Reads JWT from `auth-token` cookie, verifies against `jwtSecret`, loads member from DB, rejects suspended/cancelled accounts (403). Auto-imported by Nitro.
+- `requireAdmin(event)` -- Calls `requireAuth`, then checks `member.role === 'admin'` (403 if not). Member model gained `role` field (enum: `member`/`admin`, default `member`).
+- Applied to all `server/api/admin/`, `server/api/upload/`, and `server/api/helcim/` endpoints.
+
+### CSRF (`server/middleware/01.csrf.js` + `app/plugins/csrf.client.js`)
+- Double-submit cookie pattern. Middleware generates a random token cookie on first request, then enforces that POST/PATCH/DELETE to `/api/*` include a matching `x-csrf-token` header.
+- Client plugin reads the cookie and attaches the header on every `$fetch` request.
+- Exempt routes: `/api/helcim/webhook`, `/api/slack/webhook`, `/api/auth/verify`.
+
+### Security headers (`server/middleware/02.security-headers.js`)
+- Always: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `X-XSS-Protection: 0`, `Referrer-Policy: strict-origin-when-cross-origin`, `Permissions-Policy: camera=(), microphone=(), geolocation=()`.
+- Production only: HSTS (1 year, includeSubDomains) and CSP allowing Helcim, Cloudinary, and Plausible sources.
+
+### Rate limiting (`server/middleware/03.rate-limit.js`)
+- `rate-limiter-flexible` with in-memory stores, keyed by client IP.
+- Auth endpoints: 5 requests per 5 minutes. Payment endpoints: 10 per minute. Uploads: 10 per minute. General API: 100 per minute.
+- Returns 429 with `Retry-After` header on exhaustion.
+
+### XSS prevention
+- **Markdown** (`app/composables/useMarkdown.js`): `marked()` output sanitized through DOMPurify with explicit allowlists for tags and attributes. Strips script/iframe/object/embed/img and all event handler attributes.
+- **Email templates** (`server/utils/escapeHtml.js`): Pure function escaping `& < > " '` to HTML entities. Applied to all user-supplied interpolations in `server/utils/resend.js`.
+
+### Anti-enumeration (`server/api/auth/login.post.js`)
+- Login returns identical `{ success: true, message: "If this email is registered, we've sent a login link." }` for both existing and non-existing emails.
+
+### Mass assignment (`server/api/members/profile.patch.js`)
+- Explicit allowlist of profile fields. `helcimCustomerId`, `role`, `status`, `email`, `_id` are excluded from the `$set` update.
+
+### Session management
+- 7-day token expiry with refresh endpoint at `/api/auth/refresh`.
+
+---
+
+## Remediation Roadmap
+
+### Phase 0: Emergency (before any production traffic) -- COMPLETE
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 1 | C5 | Set `httpOnly: true`, `secure` conditional on NODE_ENV | V3.2.1 | Done |
+| 2 | C3 | Install `isomorphic-dompurify`, sanitize `marked()` output | V5.3.3 | Done |
+| 3 | C1 | Add `role` field to Member model, re-enable admin auth with role check | V4.1.1 | Done |
+| 4 | C2 | Call Helcim API in verify-payment to confirm transactions server-side | V10.2.1 | Done |
+| 5 | H3 | Throw on missing JWT_SECRET instead of fallback | V6.4.1 | Done |
+
+### Phase 1: Pre-launch (before public access) -- COMPLETE
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 6 | C4 | Create `escapeHtml()` utility, apply to all email template interpolations | V5.2.6 | Done |
+| 7 | H4 | Add JWT verification to upload endpoint | V4.1.3 | Done |
+| 8 | H5 | Add JWT verification to payment endpoints | V4.1.1 | Done |
+| 9 | H6 | Remove `helcimCustomerId` from `allowedFields` | V5.1.3 | Done |
+| 10 | H2 | Add CSRF double-submit cookie middleware (exempt webhooks) | V3.5.2 | Done |
+| 11 | H9 | Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers | V9.1.1 | Done |
+| 12 | H1 | Add rate limiting to login, registration, upload, payment | V13.2.5 | Done |
+| 13 | H8 | Return identical response for existing/non-existing accounts | V2.1.7 | Done |
+| 14 | -- | Add `status: 'active'` check to auth endpoints | V4.1.1 | Done |
+
+### Phase 2: Hardening (within 30 days of launch) -- PARTIAL
+
+| # | Finding | Fix | ASVS | Status |
+|---|---------|-----|------|--------|
+| 15 | H7 | Implement Zod validation across all API endpoints | V5.1.3 | Open |
+| 16 | M5 | Escape regex in directory search | V5.3.4 | Open |
+| 17 | M4 | Remove sensitive console.log statements | V7.1.1 | Open |
+| 18 | M3 | Make devtools conditional on NODE_ENV | V7.4.1 | Open |
+| 19 | M1 | Shorter session tokens (7d) with refresh endpoint | V2.5.2 | Done |
+| 20 | -- | Create shared `requireAuth()`/`requireAdmin()` utilities | V4.1.1 | Done |
+
+### Phase 3: Before building planned features
+
+| # | Fix | Status |
+|---|-----|--------|
+| 21 | Build sanitization utility (DOMPurify wrapper) for all user-generated HTML | Open |
+| 22 | Design admin role model with granular permissions | Open |
+| 23 | Implement file validation pipeline (type, size, virus scanning) | Open |
+| 24 | Design credential management patterns (encrypted at rest) | Open |
+
+---
+
+## Automated Testing
+
+### Framework
+
+Vitest with two test projects:
+
+- **Server tests** (`tests/server/`): Node.js environment, h3 globals stubbed from real h3 functions
+- **Client tests** (`tests/client/`): jsdom environment for browser-side composables
+
+```bash
+npm run test       # Watch mode
+npm run test:run   # Single run (CI)
+```
+
+### Infrastructure
+
+- `tests/server/setup.js` -- Stubs real h3 functions (`getCookie`, `setCookie`, `getMethod`, `getHeader`, `setHeader`, `getRequestURL`, `createError`, `defineEventHandler`, `readBody`, etc.) as globals to simulate Nitro auto-imports. Also stubs `useRuntimeConfig`.
+- `tests/server/helpers/createMockEvent.js` -- Factory that builds real h3 events from Node.js `IncomingMessage`/`ServerResponse` pairs. Accepts `method`, `path`, `headers`, `cookies`, `body`, and `remoteAddress`. Captures response headers via `event._testSetHeaders` for assertions.
+
+### Test Coverage (79 tests across 8 files)
+
+| File | Tests | Security Controls Verified |
+|------|-------|---------------------------|
+| `tests/server/utils/escapeHtml.test.js` | 12 | All 5 HTML entity escapes, null/undefined handling, `<script>` and `<img onerror>` XSS payloads (C4, V5.2.6) |
+| `tests/client/composables/useMarkdown.test.js` | 18 | Script/iframe/object/embed tags stripped, onerror/onclick attrs stripped, javascript: URIs sanitized, safe markdown preserved (C3, V5.3.3) |
+| `tests/server/middleware/csrf.test.js` | 14 | GET/HEAD/OPTIONS bypass, non-API bypass, webhook exemptions, 403 on missing/mismatched token, PATCH/DELETE enforcement, cookie provisioning (H2, V3.5.2) |
+| `tests/server/middleware/security-headers.test.js` | 12 | X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy always set; HSTS + CSP production-only; CSP includes Helcim/Cloudinary/Plausible sources (H9, V9.1.1) |
+| `tests/server/middleware/rate-limit.test.js` | 4 | Auth endpoint 5/5min limit, payment endpoint 10/min limit, IP isolation between clients (H1, V13.2.5) |
+| `tests/server/utils/auth.test.js` | 8 | No cookie = 401, invalid JWT = 401, member not found = 401, suspended = 403, cancelled = 403, active = returns member, non-admin = 403, admin = returns member (C1, V4.1.1) |
+| `tests/server/api/auth-login.test.js` | 4 | Existing and non-existing emails return identical response shape and message, missing email = 400 (H8, V2.1.7) |
+| `tests/server/api/members-profile-patch.test.js` | 7 | `helcimCustomerId`, `role`, `status`, `email`, `_id` blocked from `$set`; allowed fields (`pronouns`, `bio`, `studio`, etc.) and nested objects (`offering`, `lookingFor`) pass through (H6, V5.1.3) |
+
+### Manual Test Cases
+
+These items require browser or network-level verification and are not covered by automated tests:
+
+**Item 1 (Cookie flags):** Open DevTools > Application > Cookies. Verify `auth-token` has `HttpOnly: true`. Run `document.cookie` in console -- `auth-token` must NOT appear. Auth flow must still work.
+
+**Item 4 (Payment verification):** Fake `cardToken` = failure. Real HelcimPay.js flow in test mode = success.
+
+**Item 5 (JWT fallback):** Unset `JWT_SECRET`, start server = crash with clear error. Set it = normal startup.
+
+**Item 7 (Upload auth):** POST `/api/upload/image` with no cookie = 401. With valid auth = success.
+
+**Item 8 (Payment auth):** Each endpoint with no cookie = 401. Full join flow still completes.
+
+### Integration verification (after each phase)
+
+- `npm run test:run` -- all 79 tests pass
+- `npm run build` succeeds
+- Full join flow: free tier + paid tier
+- Full login flow: magic link request, click, redirect to `/members`
+- Profile editing: avatar upload, bio update, privacy settings
+- Admin pages: access control verified
+- `curl` against hardened endpoints: unauthenticated = rejected
diff --git a/nuxt.config.ts b/nuxt.config.ts
index 208fea0..eadc666 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -1,7 +1,7 @@
 // https://nuxt.com/docs/api/configuration/nuxt-config
 export default defineNuxtConfig({
   compatibilityDate: "2025-07-15",
-  devtools: { enabled: true },
+  devtools: { enabled: process.env.NODE_ENV !== 'production' },
   modules: ["@nuxt/eslint", "@nuxt/ui", "@nuxtjs/plausible"],
   build: {
     transpile: ["vue-cal"],
@@ -14,12 +14,15 @@ export default defineNuxtConfig({
     // Private keys (server-side only)
     mongodbUri:
       process.env.MONGODB_URI || "mongodb://localhost:27017/ghostguild",
-    jwtSecret: process.env.JWT_SECRET || "dev-secret-change-in-production",
+    jwtSecret: process.env.JWT_SECRET || "",
     resendApiKey: process.env.RESEND_API_KEY || "",
     helcimApiToken: process.env.HELCIM_API_TOKEN || "",
     slackBotToken: process.env.SLACK_BOT_TOKEN || "",
     slackSigningSecret: process.env.SLACK_SIGNING_SECRET || "",
     slackVettingChannelId: process.env.SLACK_VETTING_CHANNEL_ID || "",
+    oidcClientId: process.env.OIDC_CLIENT_ID || "outline-wiki",
+    oidcClientSecret: process.env.OIDC_CLIENT_SECRET || "",
+    oidcCookieSecret: process.env.OIDC_COOKIE_SECRET || "",
 
     // Public keys (available on client-side)
     public: {
diff --git a/package-lock.json b/package-lock.json
index 175196e..63183ff 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,15 +14,17 @@
         "@nuxt/ui": "^4.0.0",
         "@nuxtjs/plausible": "^3.0.1",
         "@slack/web-api": "^7.10.0",
-        "bcryptjs": "^3.0.2",
         "chrono-node": "^2.8.4",
         "cloudinary": "^2.7.0",
         "eslint": "^9.34.0",
+        "isomorphic-dompurify": "^3.0.0",
         "jsonwebtoken": "^9.0.2",
         "marked": "^17.0.3",
         "mongoose": "^8.18.0",
         "nitro-cors": "^0.7.1",
         "nuxt": "^4.0.3",
+        "oidc-provider": "^9.6.1",
+        "rate-limiter-flexible": "^9.1.1",
         "resend": "^6.0.1",
         "typescript": "^5.9.2",
         "vue": "^3.5.20",
@@ -30,9 +32,20 @@
         "zod": "^4.1.3"
       },
       "devDependencies": {
-        "@tailwindcss/typography": "^0.5.19"
+        "@nuxt/test-utils": "^4.0.0",
+        "@tailwindcss/typography": "^0.5.19",
+        "@types/jsonwebtoken": "^9.0.10",
+        "@types/oidc-provider": "^9.5.0",
+        "jsdom": "^28.1.0",
+        "vitest": "^4.0.18"
       }
     },
+    "node_modules/@acemir/cssom": {
+      "version": "0.9.31",
+      "resolved": "https://registry.npmjs.org/@acemir/cssom/-/cssom-0.9.31.tgz",
+      "integrity": "sha512-ZnR3GSaH+/vJ0YlHau21FjfLYjMpYVIzTD8M8vIEQvIGxeOXyXdzCI140rrCY862p/C/BbzWsjc1dgnM9mkoTA==",
+      "license": "MIT"
+    },
     "node_modules/@alloc/quick-lru": {
       "version": "5.2.0",
       "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz",
@@ -76,6 +89,59 @@
         "@types/json-schema": "^7.0.15"
       }
     },
+    "node_modules/@asamuzakjp/css-color": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.0.1.tgz",
+      "integrity": "sha512-2SZFvqMyvboVV1d15lMf7XiI3m7SDqXUuKaTymJYLN6dSGadqp+fVojqJlVoMlbZnlTmu3S0TLwLTJpvBMO1Aw==",
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/css-calc": "^3.1.1",
+        "@csstools/css-color-parser": "^4.0.2",
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0",
+        "lru-cache": "^11.2.6"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/css-color/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector": {
+      "version": "6.8.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-6.8.1.tgz",
+      "integrity": "sha512-MvRz1nCqW0fsy8Qz4dnLIvhOlMzqDVBabZx6lH+YywFDdjXhMY37SmpV1XFX3JzG5GWHn63j6HX6QPr3lZXHvQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/nwsapi": "^2.3.9",
+        "bidi-js": "^1.0.3",
+        "css-tree": "^3.1.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "lru-cache": "^11.2.6"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
+    "node_modules/@asamuzakjp/nwsapi": {
+      "version": "2.3.9",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+      "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
+      "license": "MIT"
+    },
     "node_modules/@babel/code-frame": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -498,6 +564,18 @@
         }
       }
     },
+    "node_modules/@bramus/specificity": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+      "license": "MIT",
+      "dependencies": {
+        "css-tree": "^3.0.0"
+      },
+      "bin": {
+        "specificity": "bin/cli.js"
+      }
+    },
     "node_modules/@capsizecss/unpack": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@capsizecss/unpack/-/unpack-4.0.0.tgz",
@@ -581,6 +659,132 @@
         "@cloudinary/html": "^1.13.5"
       }
     },
+    "node_modules/@csstools/color-helpers": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
+    "node_modules/@csstools/css-calc": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.1.1.tgz",
+      "integrity": "sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-color-parser": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.0.2.tgz",
+      "integrity": "sha512-0GEfbBLmTFf0dJlpsNU7zwxRIH0/BGEMuXLTCvFYxuL1tNhqzTbtnFICyJLTNK4a+RechKP75e7w42ClXSnJQw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/color-helpers": "^6.0.2",
+        "@csstools/css-calc": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-syntax-patches-for-csstree": {
+      "version": "1.0.28",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.28.tgz",
+      "integrity": "sha512-1NRf1CUBjnr3K7hu8BLxjQrKCxEe8FP/xmPTenAxCRZWVLbmGotkFvG9mfNpjA6k7Bw1bw4BilZq9cu19RA5pg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0"
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
     "node_modules/@dxup/nuxt": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/@dxup/nuxt/-/nuxt-0.3.2.tgz",
@@ -1369,6 +1573,23 @@
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
       }
     },
+    "node_modules/@exodus/bytes": {
+      "version": "1.14.1",
+      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.14.1.tgz",
+      "integrity": "sha512-OhkBFWI6GcRMUroChZiopRiSp2iAMvEBK47NhJooDqz1RERO4QuZIZnjP63TXX8GAiLABkYmX+fuQsdJ1dd2QQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@noble/hashes": "^1.8.0 || ^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@noble/hashes": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@floating-ui/core": {
       "version": "1.7.4",
       "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.4.tgz",
@@ -1731,6 +1952,41 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@koa/cors": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/@koa/cors/-/cors-5.0.0.tgz",
+      "integrity": "sha512-x/iUDjcS90W69PryLDIMgFyV21YLTnG9zOpPXS7Bkt2b8AsY3zZsIpOLBkYr9fBcF3HbkKaER5hOBZLfpLgYNw==",
+      "license": "MIT",
+      "dependencies": {
+        "vary": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 14.0.0"
+      }
+    },
+    "node_modules/@koa/router": {
+      "version": "15.3.1",
+      "resolved": "https://registry.npmjs.org/@koa/router/-/router-15.3.1.tgz",
+      "integrity": "sha512-n7UgxsPmgKtEsrguz8a0d6BNx3lO2x52Z4UqkGsGwJculk4TlzZf3btd3QZMq1r1M+bSxUkBbyul4mDhysIVaQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.3",
+        "http-errors": "^2.0.1",
+        "koa-compose": "^4.1.0",
+        "path-to-regexp": "^8.3.0"
+      },
+      "engines": {
+        "node": ">= 20"
+      },
+      "peerDependencies": {
+        "koa": "^2.0.0 || ^3.0.0"
+      },
+      "peerDependenciesMeta": {
+        "koa": {
+          "optional": false
+        }
+      }
+    },
     "node_modules/@kwsites/file-exists": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/@kwsites/file-exists/-/file-exists-1.1.1.tgz",
@@ -2311,6 +2567,223 @@
       "integrity": "sha512-zpYTCs2byOuft65vI3z43Dd6iSdFbOZZLb9/d21aCpx2rGastVU9dOCv0lu4ykc1Ur1anAYjDi3SUvR0vq50JA==",
       "license": "MIT"
     },
+    "node_modules/@nuxt/test-utils": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@nuxt/test-utils/-/test-utils-4.0.0.tgz",
+      "integrity": "sha512-QJfyCiqYxflUKA5xlEGuXdDApTBhJxoPXxYePIDtA90hkmKbhYs/mrMM+Bi9LiUrI/cCJOPRyIx9jOzhMvTIgg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@clack/prompts": "1.0.0",
+        "@nuxt/devtools-kit": "^2.7.0",
+        "@nuxt/kit": "^3.21.0",
+        "c12": "^3.3.3",
+        "consola": "^3.4.2",
+        "defu": "^6.1.4",
+        "destr": "^2.0.5",
+        "estree-walker": "^3.0.3",
+        "exsolve": "^1.0.8",
+        "fake-indexeddb": "^6.2.5",
+        "get-port-please": "^3.2.0",
+        "h3": "^1.15.5",
+        "h3-next": "npm:h3@2.0.1-rc.11",
+        "local-pkg": "^1.1.2",
+        "magic-string": "^0.30.21",
+        "node-fetch-native": "^1.6.7",
+        "node-mock-http": "^1.0.4",
+        "nypm": "^0.6.4",
+        "ofetch": "^1.5.1",
+        "pathe": "^2.0.3",
+        "perfect-debounce": "^2.1.0",
+        "radix3": "^1.1.2",
+        "scule": "^1.3.0",
+        "std-env": "^3.10.0",
+        "tinyexec": "^1.0.2",
+        "ufo": "^1.6.3",
+        "unplugin": "^3.0.0",
+        "vitest-environment-nuxt": "^1.0.1",
+        "vue": "^3.5.27"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@cucumber/cucumber": ">=11.0.0",
+        "@jest/globals": ">=30.0.0",
+        "@playwright/test": "^1.43.1",
+        "@testing-library/vue": "^8.0.1",
+        "@vue/test-utils": "^2.4.2",
+        "happy-dom": ">=20.0.11",
+        "jsdom": ">=27.4.0",
+        "playwright-core": "^1.43.1",
+        "vitest": "^4.0.2"
+      },
+      "peerDependenciesMeta": {
+        "@cucumber/cucumber": {
+          "optional": true
+        },
+        "@jest/globals": {
+          "optional": true
+        },
+        "@playwright/test": {
+          "optional": true
+        },
+        "@testing-library/vue": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "@vue/test-utils": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        },
+        "playwright-core": {
+          "optional": true
+        },
+        "vitest": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@clack/core": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@clack/core/-/core-1.0.0.tgz",
+      "integrity": "sha512-Orf9Ltr5NeiEuVJS8Rk2XTw3IxNC2Bic3ash7GgYeA8LJ/zmSNpSQ/m5UAhe03lA6KFgklzZ5KTHs4OAMA/SAQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "picocolors": "^1.0.0",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@clack/prompts": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@clack/prompts/-/prompts-1.0.0.tgz",
+      "integrity": "sha512-rWPXg9UaCFqErJVQ+MecOaWsozjaxol4yjnmYcGNipAWzdaWa2x+VJmKfGq7L0APwBohQOYdHC+9RO4qRXej+A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@clack/core": "1.0.0",
+        "picocolors": "^1.0.0",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@nuxt/devtools-kit": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/@nuxt/devtools-kit/-/devtools-kit-2.7.0.tgz",
+      "integrity": "sha512-MIJdah6CF6YOW2GhfKnb8Sivu6HpcQheqdjOlZqShBr+1DyjtKQbAKSCAyKPaoIzZP4QOo2SmTFV6aN8jBeEIQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nuxt/kit": "^3.19.3",
+        "execa": "^8.0.1"
+      },
+      "peerDependencies": {
+        "vite": ">=6.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/@nuxt/kit": {
+      "version": "3.21.1",
+      "resolved": "https://registry.npmjs.org/@nuxt/kit/-/kit-3.21.1.tgz",
+      "integrity": "sha512-QORZRjcuTKgo++XP1Pc2c2gqwRydkaExrIRfRI9vFsPA3AzuHVn5Gfmbv1ic8y34e78mr5DMBvJlelUaeOuajg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "c12": "^3.3.3",
+        "consola": "^3.4.2",
+        "defu": "^6.1.4",
+        "destr": "^2.0.5",
+        "errx": "^0.1.0",
+        "exsolve": "^1.0.8",
+        "ignore": "^7.0.5",
+        "jiti": "^2.6.1",
+        "klona": "^2.0.6",
+        "knitwork": "^1.3.0",
+        "mlly": "^1.8.0",
+        "ohash": "^2.0.11",
+        "pathe": "^2.0.3",
+        "pkg-types": "^2.3.0",
+        "rc9": "^3.0.0",
+        "scule": "^1.3.0",
+        "semver": "^7.7.4",
+        "tinyglobby": "^0.2.15",
+        "ufo": "^1.6.3",
+        "unctx": "^2.5.0",
+        "untyped": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18.12.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/crossws": {
+      "version": "0.4.4",
+      "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.4.4.tgz",
+      "integrity": "sha512-w6c4OdpRNnudVmcgr7brb/+/HmYjMQvYToO/oTrprTwxRUiom3LYWU1PMWuD006okbUWpII1Ea9/+kwpUfmyRg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "peer": true,
+      "peerDependencies": {
+        "srvx": ">=0.7.1"
+      },
+      "peerDependenciesMeta": {
+        "srvx": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/h3-next": {
+      "name": "h3",
+      "version": "2.0.1-rc.11",
+      "resolved": "https://registry.npmjs.org/h3/-/h3-2.0.1-rc.11.tgz",
+      "integrity": "sha512-2myzjCqy32c1As9TjZW9fNZXtLqNedjFSrdFy2AjFBQQ3LzrnGoDdFDYfC0tV2e4vcyfJ2Sfo/F6NQhO2Ly/Mw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "rou3": "^0.7.12",
+        "srvx": "^0.10.1"
+      },
+      "engines": {
+        "node": ">=20.11.1"
+      },
+      "peerDependencies": {
+        "crossws": "^0.4.1"
+      },
+      "peerDependenciesMeta": {
+        "crossws": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@nuxt/test-utils/node_modules/srvx": {
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/srvx/-/srvx-0.10.1.tgz",
+      "integrity": "sha512-A//xtfak4eESMWWydSRFUVvCTQbSwivnGCEf8YGPe2eHU0+Z6znfUTCPF0a7oV3sObSOcrXHlL6Bs9vVctfXdg==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "srvx": "bin/srvx.mjs"
+      },
+      "engines": {
+        "node": ">=20.16.0"
+      }
+    },
     "node_modules/@nuxt/ui": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@nuxt/ui/-/ui-4.5.0.tgz",
@@ -5527,18 +6000,171 @@
         "tslib": "^2.4.0"
       }
     },
+    "node_modules/@types/accepts": {
+      "version": "1.3.7",
+      "resolved": "https://registry.npmjs.org/@types/accepts/-/accepts-1.3.7.tgz",
+      "integrity": "sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/body-parser": {
+      "version": "1.19.6",
+      "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.6.tgz",
+      "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/connect": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/chai": {
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/deep-eql": "*",
+        "assertion-error": "^2.0.1"
+      }
+    },
+    "node_modules/@types/connect": {
+      "version": "3.4.38",
+      "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.38.tgz",
+      "integrity": "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/content-disposition": {
+      "version": "0.5.9",
+      "resolved": "https://registry.npmjs.org/@types/content-disposition/-/content-disposition-0.5.9.tgz",
+      "integrity": "sha512-8uYXI3Gw35MhiVYhG3s295oihrxRyytcRHjSjqnqZVDDy/xcGBRny7+Xj1Wgfhv5QzRtN2hB2dVRBUX9XW3UcQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/cookies": {
+      "version": "0.9.2",
+      "resolved": "https://registry.npmjs.org/@types/cookies/-/cookies-0.9.2.tgz",
+      "integrity": "sha512-1AvkDdZM2dbyFybL4fxpuNCaWyv//0AwsuUk2DWeXyM1/5ZKm6W3z6mQi24RZ4l2ucY+bkSHzbDVpySqPGuV8A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/connect": "*",
+        "@types/express": "*",
+        "@types/keygrip": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/deep-eql": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
+      "integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/estree": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
       "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
       "license": "MIT"
     },
+    "node_modules/@types/express": {
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/@types/express/-/express-5.0.6.tgz",
+      "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/body-parser": "*",
+        "@types/express-serve-static-core": "^5.0.0",
+        "@types/serve-static": "^2"
+      }
+    },
+    "node_modules/@types/express-serve-static-core": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-5.1.1.tgz",
+      "integrity": "sha512-v4zIMr/cX7/d2BpAEX3KNKL/JrT1s43s96lLvvdTmza1oEvDudCqK9aF/djc/SWgy8Yh0h30TZx5VpzqFCxk5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*",
+        "@types/qs": "*",
+        "@types/range-parser": "*",
+        "@types/send": "*"
+      }
+    },
+    "node_modules/@types/http-assert": {
+      "version": "1.5.6",
+      "resolved": "https://registry.npmjs.org/@types/http-assert/-/http-assert-1.5.6.tgz",
+      "integrity": "sha512-TTEwmtjgVbYAzZYWyeHPrrtWnfVkm8tQkP8P21uQifPgMRgjrow3XDEYqucuC8SKZJT7pUnhU/JymvjggxO9vw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/http-errors": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.5.tgz",
+      "integrity": "sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/json-schema": {
       "version": "7.0.15",
       "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
       "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
       "license": "MIT"
     },
+    "node_modules/@types/jsonwebtoken": {
+      "version": "9.0.10",
+      "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz",
+      "integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/ms": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/keygrip": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/@types/keygrip/-/keygrip-1.0.6.tgz",
+      "integrity": "sha512-lZuNAY9xeJt7Bx4t4dx0rYCDqGPW8RXhQZK1td7d4H6E9zYbLoOtjBvfwdTKpsyxQI/2jv+armjX/RW+ZNpXOQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/koa": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@types/koa/-/koa-3.0.1.tgz",
+      "integrity": "sha512-VkB6WJUQSe0zBpR+Q7/YIUESGp5wPHcaXr0xueU5W0EOUWtlSbblsl+Kl31lyRQ63nIILh0e/7gXjQ09JXJIHw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/accepts": "*",
+        "@types/content-disposition": "*",
+        "@types/cookies": "*",
+        "@types/http-assert": "*",
+        "@types/http-errors": "^2",
+        "@types/keygrip": "*",
+        "@types/koa-compose": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/koa-compose": {
+      "version": "3.2.9",
+      "resolved": "https://registry.npmjs.org/@types/koa-compose/-/koa-compose-3.2.9.tgz",
+      "integrity": "sha512-BroAZ9FTvPiCy0Pi8tjD1OfJ7bgU1gQf0eR6e1Vm+JJATy9eKOG3hQMFtMciMawiSOVnLMdmUOC46s7HBhSTsA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/koa": "*"
+      }
+    },
     "node_modules/@types/linkify-it": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/@types/linkify-it/-/linkify-it-5.0.0.tgz",
@@ -5585,6 +6211,13 @@
       "integrity": "sha512-RGdgjQUZba5p6QEFAVx2OGb8rQDL/cPRG7GiedRzMcJ1tYnUANBncjbSB1NRGwbvjcPeikRABz2nshyPk1bhWg==",
       "license": "MIT"
     },
+    "node_modules/@types/ms": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
+      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/node": {
       "version": "25.3.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.0.tgz",
@@ -5594,6 +6227,32 @@
         "undici-types": "~7.18.0"
       }
     },
+    "node_modules/@types/oidc-provider": {
+      "version": "9.5.0",
+      "resolved": "https://registry.npmjs.org/@types/oidc-provider/-/oidc-provider-9.5.0.tgz",
+      "integrity": "sha512-eEzCRVTSqIHD9Bo/qRJ4XQWQ5Z/zBcG+Z2cGJluRsSuWx1RJihqRyPxhIEpMXTwPzHYRTQkVp7hwisQOwzzSAg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/keygrip": "*",
+        "@types/koa": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/qs": {
+      "version": "6.14.0",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
+      "integrity": "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/range-parser": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.7.tgz",
+      "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/resolve": {
       "version": "1.20.2",
       "resolved": "https://registry.npmjs.org/@types/resolve/-/resolve-1.20.2.tgz",
@@ -5606,6 +6265,34 @@
       "integrity": "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==",
       "license": "MIT"
     },
+    "node_modules/@types/send": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@types/send/-/send-1.2.1.tgz",
+      "integrity": "sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/serve-static": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-2.2.0.tgz",
+      "integrity": "sha512-8mam4H1NHLtu7nmtalF7eyBH14QyOASmcxHhSfEoRyr0nP/YdoesEtU+uSRvMe96TW/HPTtkoKqQLl53N7UXMQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/http-errors": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/web-bluetooth": {
       "version": "0.0.21",
       "resolved": "https://registry.npmjs.org/@types/web-bluetooth/-/web-bluetooth-0.0.21.tgz",
@@ -6204,6 +6891,127 @@
         "vue": "^3.0.0"
       }
     },
+    "node_modules/@vitest/expect": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.0.18.tgz",
+      "integrity": "sha512-8sCWUyckXXYvx4opfzVY03EOiYVxyNrHS5QxX3DAIi5dpJAAkyJezHCP77VMX4HKA2LDT/Jpfo8i2r5BE3GnQQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@standard-schema/spec": "^1.0.0",
+        "@types/chai": "^5.2.2",
+        "@vitest/spy": "4.0.18",
+        "@vitest/utils": "4.0.18",
+        "chai": "^6.2.1",
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/mocker": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.0.18.tgz",
+      "integrity": "sha512-HhVd0MDnzzsgevnOWCBj5Otnzobjy5wLBe4EdeeFGv8luMsGcYqDuFRMcttKWZA5vVO8RFjexVovXvAM4JoJDQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/spy": "4.0.18",
+        "estree-walker": "^3.0.3",
+        "magic-string": "^0.30.21"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "msw": "^2.4.9",
+        "vite": "^6.0.0 || ^7.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "msw": {
+          "optional": true
+        },
+        "vite": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@vitest/mocker/node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
+    "node_modules/@vitest/pretty-format": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.0.18.tgz",
+      "integrity": "sha512-P24GK3GulZWC5tz87ux0m8OADrQIUVDPIjjj65vBXYG17ZeU3qD7r+MNZ1RNv4l8CGU2vtTRqixrOi9fYk/yKw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/runner": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.0.18.tgz",
+      "integrity": "sha512-rpk9y12PGa22Jg6g5M3UVVnTS7+zycIGk9ZNGN+m6tZHKQb7jrP7/77WfZy13Y/EUDd52NDsLRQhYKtv7XfPQw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/utils": "4.0.18",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/snapshot": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.0.18.tgz",
+      "integrity": "sha512-PCiV0rcl7jKQjbgYqjtakly6T1uwv/5BQ9SwBLekVg/EaYeQFPiXcgrC2Y7vDMA8dM1SUEAEV82kgSQIlXNMvA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.0.18",
+        "magic-string": "^0.30.21",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/spy": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.0.18.tgz",
+      "integrity": "sha512-cbQt3PTSD7P2OARdVW3qWER5EGq7PHlvE+QfzSC0lbwO+xnt7+XH06ZzFjFRgzUX//JmpxrCu92VdwvEPlWSNw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/utils": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.0.18.tgz",
+      "integrity": "sha512-msMRKLMVLWygpK3u2Hybgi4MNjcYJvwTb0Ru09+fOyCXIgT5raYP041DRRdiJiI3k/2U6SEbAETB3YtBrUkCFA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.0.18",
+        "tinyrainbow": "^3.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
     "node_modules/@volar/language-core": {
       "version": "2.4.28",
       "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.4.28.tgz",
@@ -6608,6 +7416,19 @@
         "node": ">=6.5"
       }
     },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/acorn": {
       "version": "8.16.0",
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
@@ -6848,6 +7669,16 @@
         "node": ">=10"
       }
     },
+    "node_modules/assertion-error": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+      "integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      }
+    },
     "node_modules/ast-kit": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/ast-kit/-/ast-kit-2.2.0.tgz",
@@ -7014,13 +7845,13 @@
         "node": ">=6.0.0"
       }
     },
-    "node_modules/bcryptjs": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-3.0.3.tgz",
-      "integrity": "sha512-GlF5wPWnSa/X5LKM1o0wz0suXIINz1iHRLvTS+sLyi7XPbe5ycmYI3DlZqVGZZtDgl4DmasFg7gOB3JYbphV5g==",
-      "license": "BSD-3-Clause",
-      "bin": {
-        "bcrypt": "bin/bcrypt"
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
       }
     },
     "node_modules/bindings": {
@@ -7200,6 +8031,15 @@
         "esbuild": ">=0.18"
       }
     },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/c12": {
       "version": "3.3.3",
       "resolved": "https://registry.npmjs.org/c12/-/c12-3.3.3.tgz",
@@ -7301,6 +8141,16 @@
       ],
       "license": "CC-BY-4.0"
     },
+    "node_modules/chai": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
+      "integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/chalk": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -7564,6 +8414,28 @@
         "node": "^14.18.0 || >=16.10.0"
       }
     },
+    "node_modules/content-disposition": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz",
+      "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/convert-source-map": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -7576,6 +8448,19 @@
       "integrity": "sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==",
       "license": "MIT"
     },
+    "node_modules/cookies": {
+      "version": "0.9.1",
+      "resolved": "https://registry.npmjs.org/cookies/-/cookies-0.9.1.tgz",
+      "integrity": "sha512-TG2hpqe4ELx54QER/S3HQ9SRVnQnGBtKUz5bLQWtYAQ+o6GpgMs6sYUvaiJjVxb+UXwhRhAEP3m7LbsIZ77Hmw==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "keygrip": "~1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/copy-anything": {
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/copy-anything/-/copy-anything-4.0.5.tgz",
@@ -7855,12 +8740,84 @@
       "integrity": "sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==",
       "license": "CC0-1.0"
     },
+    "node_modules/cssstyle": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-6.1.0.tgz",
+      "integrity": "sha512-Ml4fP2UT2K3CUBQnVlbdV/8aFDdlY69E+YnwJM+3VUWl08S3J8c8aRuJqCkD9Py8DHZ7zNNvsfKl8psocHZEFg==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/css-color": "^5.0.0",
+        "@csstools/css-syntax-patches-for-csstree": "^1.0.28",
+        "css-tree": "^3.1.0",
+        "lru-cache": "^11.2.6"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/cssstyle/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/csstype": {
       "version": "3.2.3",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
       "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
       "license": "MIT"
     },
+    "node_modules/data-urls": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+      "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
+      "license": "MIT",
+      "dependencies": {
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/data-urls/node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/data-urls/node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/data-urls/node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/db0": {
       "version": "0.3.4",
       "resolved": "https://registry.npmjs.org/db0/-/db0-0.3.4.tgz",
@@ -7912,6 +8869,18 @@
         }
       }
     },
+    "node_modules/decimal.js": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+      "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
+      "license": "MIT"
+    },
+    "node_modules/deep-equal": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-1.0.1.tgz",
+      "integrity": "sha512-bHtC0iYvWhyaTzvV3CZgPeZQqCOBGyGsVV7v4eevpdkLHfiSrXUdBG+qAuSz4RI70sszvjQ1QSZ98An1yNwpSw==",
+      "license": "MIT"
+    },
     "node_modules/deep-is": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -7979,6 +8948,12 @@
         "node": ">=0.4.0"
       }
     },
+    "node_modules/delegates": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
+      "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==",
+      "license": "MIT"
+    },
     "node_modules/denque": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz",
@@ -8003,6 +8978,16 @@
       "integrity": "sha512-ugFTXCtDZunbzasqBxrK93Ik/DRYsO6S/fedkWEMKqt04xZ4csmnmwGDBAb07QWNaGMAmnTIemsYZCksjATwsA==",
       "license": "MIT"
     },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
     "node_modules/detect-libc": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
@@ -8080,6 +9065,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
+      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
@@ -9024,6 +10018,18 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/eta": {
+      "version": "4.5.1",
+      "resolved": "https://registry.npmjs.org/eta/-/eta-4.5.1.tgz",
+      "integrity": "sha512-EaNCGm+8XEIU7YNcc+THptWAO5NfKBHHARxt+wxZljj9bTr/+arRoOm9/MpGt4n6xn9fLnPFRSoLD0WFYGFUxQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/bgub/eta?sponsor=1"
+      }
+    },
     "node_modules/etag": {
       "version": "1.8.1",
       "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
@@ -9101,12 +10107,32 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/expect-type": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/exsolve": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/exsolve/-/exsolve-1.0.8.tgz",
       "integrity": "sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==",
       "license": "MIT"
     },
+    "node_modules/fake-indexeddb": {
+      "version": "6.2.5",
+      "resolved": "https://registry.npmjs.org/fake-indexeddb/-/fake-indexeddb-6.2.5.tgz",
+      "integrity": "sha512-CGnyrvbhPlWYMngksqrSSUT1BAVP49dZocrHuK0SvtR0D5TMs5wP0o3j7jexDJW01KSadjBp1M/71o/KR3nD1w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -9761,6 +10787,18 @@
       "integrity": "sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==",
       "license": "MIT"
     },
+    "node_modules/html-encoding-sniffer": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+      "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.6.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/html-entities": {
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.6.0.tgz",
@@ -9777,6 +10815,53 @@
       ],
       "license": "MIT"
     },
+    "node_modules/http-assert": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/http-assert/-/http-assert-1.5.0.tgz",
+      "integrity": "sha512-uPpH7OKX4H25hBmU6G1jWNaqJGpTXxey+YOUizJUAgu0AjLUeC8D73hTrhvDS5D+GJN1DN1+hhc/eF/wpxtp0w==",
+      "license": "MIT",
+      "dependencies": {
+        "deep-equal": "~1.0.1",
+        "http-errors": "~1.8.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/http-assert/node_modules/depd": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
+      "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/http-assert/node_modules/http-errors": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz",
+      "integrity": "sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~1.1.2",
+        "inherits": "2.0.4",
+        "setprototypeof": "1.2.0",
+        "statuses": ">= 1.5.0 < 2",
+        "toidentifier": "1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/http-assert/node_modules/statuses": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
+      "integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/http-errors": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
@@ -9797,6 +10882,19 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/http-proxy-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
+      "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
+      "license": "MIT",
+      "dependencies": {
+        "agent-base": "^7.1.0",
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/http-shutdown": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/http-shutdown/-/http-shutdown-1.2.2.tgz",
@@ -10137,6 +11235,12 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "license": "MIT"
+    },
     "node_modules/is-reference": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-1.2.1.tgz",
@@ -10212,6 +11316,19 @@
       "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
       "license": "ISC"
     },
+    "node_modules/isomorphic-dompurify": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/isomorphic-dompurify/-/isomorphic-dompurify-3.0.0.tgz",
+      "integrity": "sha512-5K+MYP7Nrg74+Bi+QmQGzQ/FgEOyVHWsN8MuJy5wYQxxBRxPnWsD25Tjjt5FWYhan3OQ+vNLubyNJH9dfG03lQ==",
+      "license": "MIT",
+      "dependencies": {
+        "dompurify": "^3.3.1",
+        "jsdom": "^28.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/isomorphic.js": {
       "version": "0.2.5",
       "resolved": "https://registry.npmjs.org/isomorphic.js/-/isomorphic.js-0.2.5.tgz",
@@ -10247,6 +11364,15 @@
         "jiti": "lib/jiti-cli.mjs"
       }
     },
+    "node_modules/jose": {
+      "version": "6.1.3",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.3.tgz",
+      "integrity": "sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
@@ -10274,6 +11400,90 @@
         "node": ">=20.0.0"
       }
     },
+    "node_modules/jsdom": {
+      "version": "28.1.0",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-28.1.0.tgz",
+      "integrity": "sha512-0+MoQNYyr2rBHqO1xilltfDjV9G7ymYGlAUazgcDLQaUf8JDHbuGwsxN6U9qWaElZ4w1B2r7yEGIL3GdeW3Rug==",
+      "license": "MIT",
+      "dependencies": {
+        "@acemir/cssom": "^0.9.31",
+        "@asamuzakjp/dom-selector": "^6.8.1",
+        "@bramus/specificity": "^2.4.2",
+        "@exodus/bytes": "^1.11.0",
+        "cssstyle": "^6.0.1",
+        "data-urls": "^7.0.0",
+        "decimal.js": "^10.6.0",
+        "html-encoding-sniffer": "^6.0.0",
+        "http-proxy-agent": "^7.0.2",
+        "https-proxy-agent": "^7.0.6",
+        "is-potential-custom-element-name": "^1.0.1",
+        "parse5": "^8.0.0",
+        "saxes": "^6.0.0",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^6.0.0",
+        "undici": "^7.21.0",
+        "w3c-xmlserializer": "^5.0.0",
+        "webidl-conversions": "^8.0.1",
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0",
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "canvas": "^3.0.0"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/jsdom/node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/jsdom/node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/jsdom/node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/jsdom/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/jsesc": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
@@ -10378,6 +11588,18 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/keygrip": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.1.0.tgz",
+      "integrity": "sha512-iYSchDJ+liQ8iwbSI2QqsQOvqv58eJCEanyJPJi+Khyu8smkcKSFUCbPwzFcL7YVtZ6eONjqRX/38caJ7QjRAQ==",
+      "license": "MIT",
+      "dependencies": {
+        "tsscmp": "1.0.6"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/keyv": {
       "version": "4.5.4",
       "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
@@ -10411,6 +11633,75 @@
       "integrity": "sha512-4LqMNoONzR43B1W0ek0fhXMsDNW/zxa1NdFAVMY+k28pgZLovR4G3PB5MrpTxCy1QaZCqNoiaKPr5w5qZHfSNw==",
       "license": "MIT"
     },
+    "node_modules/koa": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/koa/-/koa-3.1.2.tgz",
+      "integrity": "sha512-2LOQnFKu3m0VxpE+5sb5+BRTSKrXmNxGgxVRiKwD9s5KQB1zID/FRXhtzeV7RT1L2GVpdEEAfVuclFOMGl1ikA==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "^1.3.8",
+        "content-disposition": "~1.0.1",
+        "content-type": "^1.0.5",
+        "cookies": "~0.9.1",
+        "delegates": "^1.0.0",
+        "destroy": "^1.2.0",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "fresh": "~0.5.2",
+        "http-assert": "^1.5.0",
+        "http-errors": "^2.0.0",
+        "koa-compose": "^4.1.0",
+        "mime-types": "^3.0.1",
+        "on-finished": "^2.4.1",
+        "parseurl": "^1.3.3",
+        "statuses": "^2.0.1",
+        "type-is": "^2.0.1",
+        "vary": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/koa-compose": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-4.1.0.tgz",
+      "integrity": "sha512-8ODW8TrDuMYvXRwra/Kh7/rJo9BtOfPc6qO8eAfC80CnCvSjSl0bkRM24X6/XBBEyj0v1nRUQ1LyOy3dbqOWXw==",
+      "license": "MIT"
+    },
+    "node_modules/koa/node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/koa/node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/koa/node_modules/mime-types": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
+      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "^1.54.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/launch-editor": {
       "version": "2.13.0",
       "resolved": "https://registry.npmjs.org/launch-editor/-/launch-editor-2.13.0.tgz",
@@ -11086,6 +12377,15 @@
       "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
       "license": "MIT"
     },
+    "node_modules/media-typer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz",
+      "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/memory-pager": {
       "version": "1.5.0",
       "resolved": "https://registry.npmjs.org/memory-pager/-/memory-pager-1.5.0.tgz",
@@ -11452,6 +12752,15 @@
       "integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==",
       "license": "MIT"
     },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/nitro-cors": {
       "version": "0.7.1",
       "resolved": "https://registry.npmjs.org/nitro-cors/-/nitro-cors-0.7.1.tgz",
@@ -11896,6 +13205,27 @@
       "integrity": "sha512-RdR9FQrFwNBNXAr4GixM8YaRZRJ5PUWbKYbE5eOsrwAjJW0q2REGcf79oYPsLyskQCZG1PLN+S/K1V00joZAoQ==",
       "license": "MIT"
     },
+    "node_modules/oidc-provider": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/oidc-provider/-/oidc-provider-9.6.1.tgz",
+      "integrity": "sha512-8AtFXE4gEV6MLd8Re78VhqGNjBm/SUw0fUxrP2XwQc+5DZKw6GyuTuy2M4jkidpH3jRrhtkkqQpXlxD1Awi6tg==",
+      "license": "MIT",
+      "dependencies": {
+        "@koa/cors": "^5.0.0",
+        "@koa/router": "^15.3.0",
+        "debug": "^4.4.3",
+        "eta": "^4.5.1",
+        "jose": "^6.1.3",
+        "jsesc": "^3.1.0",
+        "koa": "^3.1.1",
+        "nanoid": "^5.1.6",
+        "quick-lru": "^7.3.0",
+        "raw-body": "^3.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/on-change": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/on-change/-/on-change-6.0.2.tgz",
@@ -12244,6 +13574,30 @@
       "integrity": "sha512-HlsyYdMBnbPQ9Jr/VgJ1YF4scnldvJpJxCVx6KgqPL4dxppsWrJHCIIxQXMJrqGnsRkNPATbeMJ8Yxu7JMsYcA==",
       "license": "MIT"
     },
+    "node_modules/parse5": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz",
+      "integrity": "sha512-9m4m5GSgXjL4AjumKzq1Fgfp3Z8rsvjRNbnkVwfu2ImRqE5D0LnY2QfDen18FSY9C573YU5XxSapdHZTZ2WolA==",
+      "license": "MIT",
+      "dependencies": {
+        "entities": "^6.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/inikulin/parse5?sponsor=1"
+      }
+    },
+    "node_modules/parse5/node_modules/entities": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz",
+      "integrity": "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -12308,6 +13662,16 @@
         "node": "20 || >=22"
       }
     },
+    "node_modules/path-to-regexp": {
+      "version": "8.3.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
+      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+      "license": "MIT",
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/pathe": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
@@ -13210,6 +14574,18 @@
       ],
       "license": "MIT"
     },
+    "node_modules/quick-lru": {
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/quick-lru/-/quick-lru-7.3.0.tgz",
+      "integrity": "sha512-k9lSsjl36EJdK7I06v7APZCbyGT2vMTsYSRX1Q2nbYmnkBqgUhRkAuzH08Ciotteu/PLJmIF2+tti7o3C/ts2g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/radix3": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/radix3/-/radix3-1.1.2.tgz",
@@ -13234,6 +14610,43 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/rate-limiter-flexible": {
+      "version": "9.1.1",
+      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-9.1.1.tgz",
+      "integrity": "sha512-imxFjzPCmvDLMe7d2tsgiSQvs5EI2fI9SNymmslAfOqznZhsZ+PqbIjIYKpuSbd3pKovR1aMG47qfCLIO/adVg==",
+      "license": "ISC"
+    },
+    "node_modules/raw-body": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
+      "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.7.0",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/raw-body/node_modules/iconv-lite": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
+      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/rc9": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/rc9/-/rc9-3.0.0.tgz",
@@ -13410,6 +14823,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/resend": {
       "version": "6.9.2",
       "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.2.tgz",
@@ -13662,6 +15084,18 @@
         "node": ">=11.0.0"
       }
     },
+    "node_modules/saxes": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+      "license": "ISC",
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=v12.22.7"
+      }
+    },
     "node_modules/scslre": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/scslre/-/scslre-0.3.0.tgz",
@@ -13836,6 +15270,13 @@
       "integrity": "sha512-Rtlj66/b0ICeFzYTuNvX/EF1igRbbnGSvEyT79McoZa/DeGhMyC5pWKOEsZKnpkqtSeovd5FL/bjHWC3CIIvCQ==",
       "license": "MIT"
     },
+    "node_modules/siginfo": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+      "integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/signal-exit": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
@@ -14002,6 +15443,13 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/stackback": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/standard-as-callback": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz",
@@ -14276,6 +15724,12 @@
         "uuid": "^10.0.0"
       }
     },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "license": "MIT"
+    },
     "node_modules/system-architecture": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/system-architecture/-/system-architecture-0.1.0.tgz",
@@ -14429,6 +15883,13 @@
       "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==",
       "license": "MIT"
     },
+    "node_modules/tinybench": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/tinyexec": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
@@ -14454,6 +15915,34 @@
         "url": "https://github.com/sponsors/SuperchupuDev"
       }
     },
+    "node_modules/tinyrainbow": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
+      "integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/tldts": {
+      "version": "7.0.23",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.23.tgz",
+      "integrity": "sha512-ASdhgQIBSay0R/eXggAkQ53G4nTJqTXqC2kbaBbdDwM7SkjyZyO0OaaN1/FH7U/yCeqOHDwFO5j8+Os/IS1dXw==",
+      "license": "MIT",
+      "dependencies": {
+        "tldts-core": "^7.0.23"
+      },
+      "bin": {
+        "tldts": "bin/cli.js"
+      }
+    },
+    "node_modules/tldts-core": {
+      "version": "7.0.23",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.23.tgz",
+      "integrity": "sha512-0g9vrtDQLrNIiCj22HSe9d4mLVG3g5ph5DZ8zCKBr4OtrspmNB6ss7hVyzArAeE88ceZocIEGkyW1Ime7fxPtQ==",
+      "license": "MIT"
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -14500,6 +15989,18 @@
         "node": ">=6"
       }
     },
+    "node_modules/tough-cookie": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.0.tgz",
+      "integrity": "sha512-kXuRi1mtaKMrsLUxz3sQYvVl37B0Ns6MzfrtV5DvJceE9bPyspOqk9xxv7XbZWcfLWbFmm997vl83qUWVJA64w==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "tldts": "^7.0.5"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
     "node_modules/tr46": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.1.1.tgz",
@@ -14530,6 +16031,15 @@
       "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
       "license": "0BSD"
     },
+    "node_modules/tsscmp": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
+      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6.x"
+      }
+    },
     "node_modules/type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -14557,6 +16067,45 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/type-is": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz",
+      "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==",
+      "license": "MIT",
+      "dependencies": {
+        "content-type": "^1.0.5",
+        "media-typer": "^1.1.0",
+        "mime-types": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/type-is/node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/type-is/node_modules/mime-types": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
+      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "^1.54.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/type-level-regexp": {
       "version": "0.1.17",
       "resolved": "https://registry.npmjs.org/type-level-regexp/-/type-level-regexp-0.1.17.tgz",
@@ -14636,6 +16185,15 @@
         "node": ">=18.12.0"
       }
     },
+    "node_modules/undici": {
+      "version": "7.22.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
+      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    },
     "node_modules/undici-types": {
       "version": "7.18.2",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
@@ -14769,6 +16327,15 @@
         "url": "https://github.com/sponsors/sxzz"
       }
     },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/unplugin": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-3.0.0.tgz",
@@ -15244,6 +16811,15 @@
         "uuid": "dist/bin/uuid"
       }
     },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/vaul-vue": {
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/vaul-vue/-/vaul-vue-0.4.1.tgz",
@@ -15711,6 +17287,101 @@
         "@types/estree": "^1.0.0"
       }
     },
+    "node_modules/vitest": {
+      "version": "4.0.18",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.18.tgz",
+      "integrity": "sha512-hOQuK7h0FGKgBAas7v0mSAsnvrIgAvWmRFjmzpJ7SwFHH3g1k2u37JtYwOwmEKhK6ZO3v9ggDBBm0La1LCK4uQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/expect": "4.0.18",
+        "@vitest/mocker": "4.0.18",
+        "@vitest/pretty-format": "4.0.18",
+        "@vitest/runner": "4.0.18",
+        "@vitest/snapshot": "4.0.18",
+        "@vitest/spy": "4.0.18",
+        "@vitest/utils": "4.0.18",
+        "es-module-lexer": "^1.7.0",
+        "expect-type": "^1.2.2",
+        "magic-string": "^0.30.21",
+        "obug": "^2.1.1",
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.3",
+        "std-env": "^3.10.0",
+        "tinybench": "^2.9.0",
+        "tinyexec": "^1.0.2",
+        "tinyglobby": "^0.2.15",
+        "tinyrainbow": "^3.0.3",
+        "vite": "^6.0.0 || ^7.0.0",
+        "why-is-node-running": "^2.3.0"
+      },
+      "bin": {
+        "vitest": "vitest.mjs"
+      },
+      "engines": {
+        "node": "^20.0.0 || ^22.0.0 || >=24.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@edge-runtime/vm": "*",
+        "@opentelemetry/api": "^1.9.0",
+        "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
+        "@vitest/browser-playwright": "4.0.18",
+        "@vitest/browser-preview": "4.0.18",
+        "@vitest/browser-webdriverio": "4.0.18",
+        "@vitest/ui": "4.0.18",
+        "happy-dom": "*",
+        "jsdom": "*"
+      },
+      "peerDependenciesMeta": {
+        "@edge-runtime/vm": {
+          "optional": true
+        },
+        "@opentelemetry/api": {
+          "optional": true
+        },
+        "@types/node": {
+          "optional": true
+        },
+        "@vitest/browser-playwright": {
+          "optional": true
+        },
+        "@vitest/browser-preview": {
+          "optional": true
+        },
+        "@vitest/browser-webdriverio": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/vitest-environment-nuxt": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/vitest-environment-nuxt/-/vitest-environment-nuxt-1.0.1.tgz",
+      "integrity": "sha512-eBCwtIQriXW5/M49FjqNKfnlJYlG2LWMSNFsRVKomc8CaMqmhQPBS5LZ9DlgYL9T8xIVsiA6RZn2lk7vxov3Ow==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nuxt/test-utils": ">=3.13.1"
+      }
+    },
+    "node_modules/vitest/node_modules/es-module-lexer": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
+      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/vscode-uri": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
@@ -15815,6 +17486,27 @@
       "integrity": "sha512-dpojBhNsCNN7T82Tm7k26A6G9ML3NkhDsnw9n/eoxSRlVBB4CEtIQ/KTCLI2Fwf3ataSXRhYFkQi3SlnFwPvPQ==",
       "license": "MIT"
     },
+    "node_modules/w3c-xmlserializer": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+      "license": "MIT",
+      "dependencies": {
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/w3c-xmlserializer/node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/webidl-conversions": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
@@ -15830,6 +17522,15 @@
       "integrity": "sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==",
       "license": "MIT"
     },
+    "node_modules/whatwg-mimetype": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+      "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
     "node_modules/whatwg-url": {
       "version": "14.2.0",
       "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.2.0.tgz",
@@ -15867,6 +17568,23 @@
         "node": ">= 8"
       }
     },
+    "node_modules/why-is-node-running": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+      "integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "siginfo": "^2.0.0",
+        "stackback": "0.0.2"
+      },
+      "bin": {
+        "why-is-node-running": "cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/word-wrap": {
       "version": "1.2.5",
       "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
@@ -15956,6 +17674,12 @@
         "node": ">=12"
       }
     },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "license": "MIT"
+    },
     "node_modules/y-protocols": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/y-protocols/-/y-protocols-1.0.7.tgz",
diff --git a/package.json b/package.json
index 4d998b9..3661871 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,9 @@
     "dev": "nuxt dev",
     "generate": "nuxt generate",
     "preview": "nuxt preview",
-    "postinstall": "nuxt prepare"
+    "postinstall": "nuxt prepare",
+    "test": "vitest",
+    "test:run": "vitest run"
   },
   "dependencies": {
     "@cloudinary/vue": "^1.13.3",
@@ -17,15 +19,17 @@
     "@nuxt/ui": "^4.0.0",
     "@nuxtjs/plausible": "^3.0.1",
     "@slack/web-api": "^7.10.0",
-    "bcryptjs": "^3.0.2",
     "chrono-node": "^2.8.4",
     "cloudinary": "^2.7.0",
     "eslint": "^9.34.0",
+    "isomorphic-dompurify": "^3.0.0",
     "jsonwebtoken": "^9.0.2",
     "marked": "^17.0.3",
     "mongoose": "^8.18.0",
     "nitro-cors": "^0.7.1",
     "nuxt": "^4.0.3",
+    "oidc-provider": "^9.6.1",
+    "rate-limiter-flexible": "^9.1.1",
     "resend": "^6.0.1",
     "typescript": "^5.9.2",
     "vue": "^3.5.20",
@@ -33,6 +37,11 @@
     "zod": "^4.1.3"
   },
   "devDependencies": {
-    "@tailwindcss/typography": "^0.5.19"
+    "@nuxt/test-utils": "^4.0.0",
+    "@tailwindcss/typography": "^0.5.19",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/oidc-provider": "^9.5.0",
+    "jsdom": "^28.1.0",
+    "vitest": "^4.0.18"
   }
 }
diff --git a/server/api/admin/dashboard.get.js b/server/api/admin/dashboard.get.js
index 5af6cec..31786e1 100644
--- a/server/api/admin/dashboard.get.js
+++ b/server/api/admin/dashboard.get.js
@@ -1,26 +1,13 @@
 import Member from '../../models/member.js'
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // Basic auth check
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // jwt.verify(token, config.jwtSecret)
-
+    await requireAdmin(event)
     await connectDB()
-    
+
     // Get stats
     const totalMembers = await Member.countDocuments()
     const now = new Date()
@@ -28,21 +15,21 @@ export default defineEventHandler(async (event) => {
       startDate: { $lte: now },
       endDate: { $gte: now }
     })
-    
+
     // Calculate monthly revenue from member contributions
     const members = await Member.find({}, 'contributionTier').lean()
     const monthlyRevenue = members.reduce((total, member) => {
       return total + parseInt(member.contributionTier || '0')
     }, 0)
-    
+
     const pendingSlackInvites = await Member.countDocuments({ slackInvited: false })
-    
+
     // Get recent members (last 5)
     const recentMembers = await Member.find()
       .sort({ createdAt: -1 })
       .limit(5)
       .lean()
-    
+
     // Get upcoming events (next 5)
     const upcomingEvents = await Event.find({
       startDate: { $gte: now }
@@ -50,7 +37,7 @@ export default defineEventHandler(async (event) => {
       .sort({ startDate: 1 })
       .limit(5)
       .lean()
-    
+
     return {
       stats: {
         totalMembers,
@@ -62,9 +49,10 @@ export default defineEventHandler(async (event) => {
       upcomingEvents
     }
   } catch (error) {
+    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch dashboard data'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/events.get.js b/server/api/admin/events.get.js
index 832b642..b29f746 100644
--- a/server/api/admin/events.get.js
+++ b/server/api/admin/events.get.js
@@ -1,34 +1,22 @@
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // Basic auth check - you may want to implement proper admin role checking
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // jwt.verify(token, config.jwtSecret)
-
+    await requireAdmin(event)
     await connectDB()
-    
+
     const events = await Event.find()
       .sort({ startDate: 1 })
       .lean()
 
     return events
   } catch (error) {
+    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch events'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/events.post.js b/server/api/admin/events.post.js
index 8ea3faa..875499b 100644
--- a/server/api/admin/events.post.js
+++ b/server/api/admin/events.post.js
@@ -1,37 +1,20 @@
 import Event from "../../models/event.js";
 import { connectDB } from "../../utils/mongoose.js";
-import jwt from "jsonwebtoken";
+import { requireAdmin } from "../../utils/auth.js";
+import { validateBody } from "../../utils/validateBody.js";
+import { adminEventCreateSchema } from "../../utils/schemas.js";
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    const admin = await requireAdmin(event);
 
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // const decoded = jwt.verify(token, config.jwtSecret)
-
-    const body = await readBody(event);
-
-    // Validate required fields
-    if (!body.title || !body.description || !body.startDate || !body.endDate) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: "Missing required fields",
-      });
-    }
+    const body = await validateBody(event, adminEventCreateSchema);
 
     await connectDB();
 
     const eventData = {
       ...body,
-      createdBy: "admin@ghostguild.org", // TODO: Use actual authenticated user
+      createdBy: admin.email,
       startDate: new Date(body.startDate),
       endDate: new Date(body.endDate),
       registrationDeadline: body.registrationDeadline
@@ -67,6 +50,7 @@ export default defineEventHandler(async (event) => {
 
     return savedEvent;
   } catch (error) {
+    if (error.statusCode) throw error;
     console.error("Error creating event:", error);
     throw createError({
       statusCode: 500,
diff --git a/server/api/admin/events/[id].delete.js b/server/api/admin/events/[id].delete.js
index e283859..f83686f 100644
--- a/server/api/admin/events/[id].delete.js
+++ b/server/api/admin/events/[id].delete.js
@@ -1,26 +1,15 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // const decoded = jwt.verify(token, config.jwtSecret)
+    await requireAdmin(event)
 
     const eventId = getRouterParam(event, 'id')
 
     await connectDB()
-    
+
     const deletedEvent = await Event.findByIdAndDelete(eventId)
 
     if (!deletedEvent) {
@@ -29,13 +18,14 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Event not found'
       })
     }
-    
+
     return { success: true, message: 'Event deleted successfully' }
   } catch (error) {
+    if (error.statusCode) throw error
     console.error('Error deleting event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to delete event'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/events/[id].get.js b/server/api/admin/events/[id].get.js
index cd1bf54..ae42859 100644
--- a/server/api/admin/events/[id].get.js
+++ b/server/api/admin/events/[id].get.js
@@ -1,47 +1,31 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // const decoded = jwt.verify(token, config.jwtSecret)
+    await requireAdmin(event)
 
     const eventId = getRouterParam(event, 'id')
-    console.log('🔍 API: Get event by ID called')
-    console.log('🔍 API: Event ID param:', eventId)
 
     await connectDB()
-    
+
     const eventData = await Event.findById(eventId)
-    console.log('🔍 API: Event data found:', eventData ? 'YES' : 'NO')
-    console.log('🔍 API: Event data preview:', eventData ? { id: eventData._id, title: eventData.title } : null)
 
     if (!eventData) {
-      console.log('❌ API: Event not found in database')
       throw createError({
         statusCode: 404,
         statusMessage: 'Event not found'
       })
     }
-    
-    console.log('✅ API: Returning event data')
+
     return { data: eventData }
   } catch (error) {
-    console.error('❌ API: Error fetching event:', error)
+    if (error.statusCode) throw error
+    console.error('Error fetching event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to fetch event'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/events/[id].put.js b/server/api/admin/events/[id].put.js
index 50ae589..542b727 100644
--- a/server/api/admin/events/[id].put.js
+++ b/server/api/admin/events/[id].put.js
@@ -1,25 +1,14 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // const decoded = jwt.verify(token, config.jwtSecret)
+    await requireAdmin(event)
 
     const eventId = getRouterParam(event, 'id')
     const body = await readBody(event)
-    
+
     // Validate required fields
     if (!body.title || !body.description || !body.startDate || !body.endDate) {
       throw createError({
@@ -29,7 +18,7 @@ export default defineEventHandler(async (event) => {
     }
 
     await connectDB()
-    
+
     const updateData = {
       ...body,
       startDate: new Date(body.startDate),
@@ -37,7 +26,7 @@ export default defineEventHandler(async (event) => {
       registrationDeadline: body.registrationDeadline ? new Date(body.registrationDeadline) : null,
       updatedAt: new Date()
     }
-    
+
     // Handle ticket data
     if (body.tickets) {
       updateData.tickets = {
@@ -67,13 +56,14 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Event not found'
       })
     }
-    
+
     return updatedEvent
   } catch (error) {
+    if (error.statusCode) throw error
     console.error('Error updating event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to update event'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/members.get.js b/server/api/admin/members.get.js
index 3e8bccc..3ababb7 100644
--- a/server/api/admin/members.get.js
+++ b/server/api/admin/members.get.js
@@ -1,34 +1,22 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // Basic auth check - you may want to implement proper admin role checking
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // jwt.verify(token, config.jwtSecret)
-
+    await requireAdmin(event)
     await connectDB()
-    
+
     const members = await Member.find()
       .sort({ createdAt: -1 })
       .lean()
 
     return members
   } catch (error) {
+    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch members'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/members.post.js b/server/api/admin/members.post.js
index cb9f139..677a6cf 100644
--- a/server/api/admin/members.post.js
+++ b/server/api/admin/members.post.js
@@ -1,24 +1,13 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
-import jwt from 'jsonwebtoken'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
-    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
-    
-    // if (!token) {
-    //   throw createError({
-    //     statusCode: 401,
-    //     statusMessage: 'Authentication required'
-    //   })
-    // }
-
-    // const config = useRuntimeConfig()
-    // jwt.verify(token, config.jwtSecret)
+    await requireAdmin(event)
 
     const body = await readBody(event)
-    
+
     // Validate required fields
     if (!body.name || !body.email || !body.circle || !body.contributionTier) {
       throw createError({
@@ -28,7 +17,7 @@ export default defineEventHandler(async (event) => {
     }
 
     await connectDB()
-    
+
     // Check if member already exists
     const existingMember = await Member.findOne({ email: body.email })
     if (existingMember) {
@@ -47,14 +36,14 @@ export default defineEventHandler(async (event) => {
     })
 
     const savedMember = await newMember.save()
-    
+
     return savedMember
   } catch (error) {
     if (error.statusCode) throw error
-    
+
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to create member'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/admin/series.get.js b/server/api/admin/series.get.js
index e54ac4d..f7d7991 100644
--- a/server/api/admin/series.get.js
+++ b/server/api/admin/series.get.js
@@ -1,9 +1,11 @@
 import Series from "../../models/series.js";
 import Event from "../../models/event.js";
 import { connectDB } from "../../utils/mongoose.js";
+import { requireAdmin } from "../../utils/auth.js";
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAdmin(event);
     await connectDB();
 
     // Fetch all series
diff --git a/server/api/admin/series.post.js b/server/api/admin/series.post.js
index 2041e23..d61af01 100644
--- a/server/api/admin/series.post.js
+++ b/server/api/admin/series.post.js
@@ -1,12 +1,14 @@
 import Series from '../../models/series.js'
 import { connectDB } from '../../utils/mongoose.js'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    const admin = await requireAdmin(event)
     await connectDB()
-    
+
     const body = await readBody(event)
-    
+
     // Validate required fields
     if (!body.id || !body.title || !body.description) {
       throw createError({
@@ -14,7 +16,7 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Series ID, title, and description are required'
       })
     }
-    
+
     // Create new series
     const newSeries = new Series({
       id: body.id,
@@ -22,7 +24,7 @@ export default defineEventHandler(async (event) => {
       description: body.description,
       type: body.type || 'workshop_series',
       totalEvents: body.totalEvents || null,
-      createdBy: 'admin' // TODO: Get from authentication
+      createdBy: admin.email
     })
     
     await newSeries.save()
diff --git a/server/api/admin/series.put.js b/server/api/admin/series.put.js
index 2af40b8..88a9ba3 100644
--- a/server/api/admin/series.put.js
+++ b/server/api/admin/series.put.js
@@ -1,9 +1,11 @@
 import Series from '../../models/series.js'
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
+import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAdmin(event)
     await connectDB()
 
     const body = await readBody(event)
diff --git a/server/api/admin/series/[id].delete.js b/server/api/admin/series/[id].delete.js
index cc80202..dfcef54 100644
--- a/server/api/admin/series/[id].delete.js
+++ b/server/api/admin/series/[id].delete.js
@@ -1,9 +1,11 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAdmin(event)
     await connectDB()
     
     const id = getRouterParam(event, 'id')
diff --git a/server/api/admin/series/[id].put.js b/server/api/admin/series/[id].put.js
index 0143938..a303754 100644
--- a/server/api/admin/series/[id].put.js
+++ b/server/api/admin/series/[id].put.js
@@ -1,9 +1,11 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAdmin(event)
     await connectDB()
     
     const id = getRouterParam(event, 'id')
diff --git a/server/api/admin/series/tickets.put.js b/server/api/admin/series/tickets.put.js
index c087685..50ed385 100644
--- a/server/api/admin/series/tickets.put.js
+++ b/server/api/admin/series/tickets.put.js
@@ -1,9 +1,11 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
+import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAdmin(event)
     await connectDB()
 
     const body = await readBody(event)
diff --git a/server/api/auth/login.post.js b/server/api/auth/login.post.js
index afc9fc1..b60986f 100644
--- a/server/api/auth/login.post.js
+++ b/server/api/auth/login.post.js
@@ -3,6 +3,8 @@ import jwt from "jsonwebtoken";
 import { Resend } from "resend";
 import Member from "../../models/member.js";
 import { connectDB } from "../../utils/mongoose.js";
+import { validateBody } from "../../utils/validateBody.js";
+import { emailSchema } from "../../utils/schemas.js";
 
 const resend = new Resend(process.env.RESEND_API_KEY);
 
@@ -10,28 +12,26 @@ export default defineEventHandler(async (event) => {
   // Connect to database
   await connectDB();
 
-  const { email } = await readBody(event);
+  const { email } = await validateBody(event, emailSchema);
 
-  if (!email) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Email is required",
-    });
-  }
+  const GENERIC_MESSAGE = "If this email is registered, we've sent a login link.";
 
   const member = await Member.findOne({ email });
+
   if (!member) {
-    throw createError({
-      statusCode: 404,
-      statusMessage: "No account found with that email address",
-    });
+    // Return same response shape to prevent enumeration
+    return {
+      success: true,
+      message: GENERIC_MESSAGE,
+    };
   }
 
-  // Generate magic link token
+  // Generate magic link token (use runtime config for consistency with verify/requireAuth)
+  const config = useRuntimeConfig(event);
   const token = jwt.sign(
     { memberId: member._id },
-    process.env.JWT_SECRET,
-    { expiresIn: "15m" }, // Shorter expiry for security
+    config.jwtSecret,
+    { expiresIn: "15m" },
   );
 
   // Get the base URL for the magic link
@@ -65,7 +65,7 @@ export default defineEventHandler(async (event) => {
 
     return {
       success: true,
-      message: "Login link sent to your email",
+      message: GENERIC_MESSAGE,
     };
   } catch (error) {
     console.error("Failed to send email:", error);
diff --git a/server/api/auth/logout.post.js b/server/api/auth/logout.post.js
index 56c7fdf..077d38a 100644
--- a/server/api/auth/logout.post.js
+++ b/server/api/auth/logout.post.js
@@ -1,8 +1,8 @@
 export default defineEventHandler(async (event) => {
-  // Clear the auth token cookie
+  // Clear the auth token cookie (flags must match login for proper clearing)
   setCookie(event, 'auth-token', '', {
-    httpOnly: false, // Match the original cookie settings
-    secure: false, // Don't require HTTPS in development
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
     sameSite: 'lax',
     maxAge: 0 // Expire immediately
   })
diff --git a/server/api/auth/member.get.js b/server/api/auth/member.get.js
index d5e2a91..146d13e 100644
--- a/server/api/auth/member.get.js
+++ b/server/api/auth/member.get.js
@@ -1,60 +1,30 @@
-import jwt from "jsonwebtoken";
-import Member from "../../models/member.js";
-import { connectDB } from "../../utils/mongoose.js";
+import { requireAuth } from "../../utils/auth.js";
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
+  const member = await requireAuth(event);
 
-  const token = getCookie(event, "auth-token");
-  console.log("Auth check - token found:", !!token);
-
-  if (!token) {
-    console.log("No auth token found in cookies");
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Not authenticated",
-    });
-  }
-
-  try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
-    const member = await Member.findById(decoded.memberId).select("-__v");
-
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
-
-    return {
-      _id: member._id,
-      id: member._id,
-      email: member.email,
-      name: member.name,
-      circle: member.circle,
-      contributionTier: member.contributionTier,
-      membershipLevel: `${member.circle}-${member.contributionTier}`,
-      // Profile fields
-      pronouns: member.pronouns,
-      timeZone: member.timeZone,
-      avatar: member.avatar,
-      studio: member.studio,
-      bio: member.bio,
-      location: member.location,
-      socialLinks: member.socialLinks,
-      offering: member.offering,
-      lookingFor: member.lookingFor,
-      showInDirectory: member.showInDirectory,
-      privacy: member.privacy,
-      // Peer support
-      peerSupport: member.peerSupport,
-    };
-  } catch (err) {
-    console.error("Token verification error:", err);
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Invalid or expired token",
-    });
-  }
+  return {
+    _id: member._id,
+    id: member._id,
+    email: member.email,
+    name: member.name,
+    role: member.role || 'member',
+    circle: member.circle,
+    contributionTier: member.contributionTier,
+    membershipLevel: `${member.circle}-${member.contributionTier}`,
+    // Profile fields
+    pronouns: member.pronouns,
+    timeZone: member.timeZone,
+    avatar: member.avatar,
+    studio: member.studio,
+    bio: member.bio,
+    location: member.location,
+    socialLinks: member.socialLinks,
+    offering: member.offering,
+    lookingFor: member.lookingFor,
+    showInDirectory: member.showInDirectory,
+    privacy: member.privacy,
+    // Peer support
+    peerSupport: member.peerSupport,
+  };
 });
diff --git a/server/api/auth/refresh.post.js b/server/api/auth/refresh.post.js
new file mode 100644
index 0000000..482fef9
--- /dev/null
+++ b/server/api/auth/refresh.post.js
@@ -0,0 +1,58 @@
+import jwt from 'jsonwebtoken'
+import Member from '../../models/member.js'
+import { connectDB } from '../../utils/mongoose.js'
+
+export default defineEventHandler(async (event) => {
+  await connectDB()
+
+  const token = getCookie(event, 'auth-token')
+
+  if (!token) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Not authenticated'
+    })
+  }
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+  } catch (err) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Invalid or expired token'
+    })
+  }
+
+  const member = await Member.findById(decoded.memberId)
+
+  if (!member) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Member not found'
+    })
+  }
+
+  if (member.status === 'suspended' || member.status === 'cancelled') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Account is ' + member.status
+    })
+  }
+
+  // Issue a fresh token
+  const newToken = jwt.sign(
+    { memberId: member._id, email: member.email },
+    useRuntimeConfig().jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', newToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 60 * 60 * 24 * 7 // 7 days
+  })
+
+  return { success: true }
+})
diff --git a/server/api/auth/status.get.js b/server/api/auth/status.get.js
index 9a7d2da..ec47164 100644
--- a/server/api/auth/status.get.js
+++ b/server/api/auth/status.get.js
@@ -6,22 +6,22 @@ export default defineEventHandler(async (event) => {
   await connectDB()
   
   const token = getCookie(event, 'auth-token')
-  console.log('🔍 Auth status check - token exists:', !!token)
-  
   if (!token) {
     return { authenticated: false, member: null }
   }
   
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET)
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
     const member = await Member.findById(decoded.memberId).select('-__v')
     
     if (!member) {
-      console.log('⚠️ Token valid but member not found')
       return { authenticated: false, member: null }
     }
-    
-    console.log('✅ Auth status check - member found:', member.email)
+
+    if (member.status === 'suspended' || member.status === 'cancelled') {
+      return { authenticated: false, member: null, reason: 'account_' + member.status }
+    }
+
     return { 
       authenticated: true, 
       member: {
@@ -34,7 +34,6 @@ export default defineEventHandler(async (event) => {
       }
     }
   } catch (err) {
-    console.error('❌ Auth status check - token verification failed:', err.message)
     return { authenticated: false, member: null }
   }
 })
\ No newline at end of file
diff --git a/server/api/auth/verify.get.js b/server/api/auth/verify.get.js
index 31a66f2..d5f4c1f 100644
--- a/server/api/auth/verify.get.js
+++ b/server/api/auth/verify.get.js
@@ -18,8 +18,9 @@ export default defineEventHandler(async (event) => {
   }
   
   try {
-    // Verify the JWT token
-    const decoded = jwt.verify(token, process.env.JWT_SECRET)
+    // Verify the JWT token (use runtime config for consistency with login/requireAuth)
+    const config = useRuntimeConfig(event)
+    const decoded = jwt.verify(token, config.jwtSecret)
     const member = await Member.findById(decoded.memberId)
     
     if (!member) {
@@ -32,23 +33,22 @@ export default defineEventHandler(async (event) => {
     // Create a new session token for the authenticated user
     const sessionToken = jwt.sign(
       { memberId: member._id, email: member.email },
-      process.env.JWT_SECRET,
-      { expiresIn: '30d' }
+      config.jwtSecret,
+      { expiresIn: '7d' }
     )
-    
+
     // Set the session cookie
     setCookie(event, 'auth-token', sessionToken, {
-      httpOnly: false, // Allow JavaScript access for debugging in development
-      secure: false, // Don't require HTTPS in development
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 30 // 30 days
+      maxAge: 60 * 60 * 24 * 7 // 7 days
     })
     
     // Redirect to the members dashboard or home page
     await sendRedirect(event, '/members', 302)
     
   } catch (err) {
-    console.error('Token verification error:', err)
     throw createError({ 
       statusCode: 401, 
       statusMessage: 'Invalid or expired token' 
diff --git a/server/api/events/[id]/register.post.js b/server/api/events/[id]/register.post.js
index 7dfc1f0..ce2bbcb 100644
--- a/server/api/events/[id]/register.post.js
+++ b/server/api/events/[id]/register.post.js
@@ -2,6 +2,8 @@ import Event from "../../../models/event.js";
 import Member from "../../../models/member.js";
 import { connectDB } from "../../../utils/mongoose.js";
 import { sendEventRegistrationEmail } from "../../../utils/resend.js";
+import { validateBody } from "../../../utils/validateBody.js";
+import { eventRegistrationSchema } from "../../../utils/schemas.js";
 import mongoose from "mongoose";
 
 export default defineEventHandler(async (event) => {
@@ -9,7 +11,7 @@ export default defineEventHandler(async (event) => {
     // Ensure database connection
     await connectDB();
     const identifier = getRouterParam(event, "id");
-    const body = await readBody(event);
+    const body = await validateBody(event, eventRegistrationSchema);
 
     if (!identifier) {
       throw createError({
@@ -18,14 +20,6 @@ export default defineEventHandler(async (event) => {
       });
     }
 
-    // Validate required fields
-    if (!body.name || !body.email) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: "Name and email are required",
-      });
-    }
-
     // Fetch the event - try by slug first, then by ID
     let eventData;
 
diff --git a/server/api/events/[id]/tickets/purchase.post.js b/server/api/events/[id]/tickets/purchase.post.js
index 197684c..43588fc 100644
--- a/server/api/events/[id]/tickets/purchase.post.js
+++ b/server/api/events/[id]/tickets/purchase.post.js
@@ -92,7 +92,6 @@ export default defineEventHandler(async (event) => {
       // Optional: Verify the transaction with Helcim API
       // This adds extra security to ensure the transaction is legitimate
       // For now, we trust the transaction ID from HelcimPay.js
-      console.log("Payment completed with transaction ID:", transactionId);
     }
 
     // Create registration
diff --git a/server/api/helcim/create-plan.post.js b/server/api/helcim/create-plan.post.js
index 32e3672..9b9c1a4 100644
--- a/server/api/helcim/create-plan.post.js
+++ b/server/api/helcim/create-plan.post.js
@@ -16,7 +16,6 @@ export default defineEventHandler(async (event) => {
 
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
 
-    console.log('Creating payment plan:', body.name)
 
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
       method: 'POST',
@@ -44,7 +43,6 @@ export default defineEventHandler(async (event) => {
     }
 
     const planData = await response.json()
-    console.log('Payment plan created:', planData)
 
     return {
       success: true,
diff --git a/server/api/helcim/customer-code.get.js b/server/api/helcim/customer-code.get.js
index 7ee0be0..90e21af 100644
--- a/server/api/helcim/customer-code.get.js
+++ b/server/api/helcim/customer-code.get.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded
     try {
-      decoded = jwt.verify(token, process.env.JWT_SECRET)
+      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/helcim/customer.post.js b/server/api/helcim/customer.post.js
index 782a0da..42d266d 100644
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@@ -38,8 +38,6 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    // Debug: Log token (first few chars only)
-    console.log('Using Helcim token:', helcimToken.substring(0, 10) + '...')
     
     // Test the connection first with native fetch
     try {
@@ -55,8 +53,7 @@ export default defineEventHandler(async (event) => {
         throw new Error(`HTTP ${testResponse.status}: ${testResponse.statusText}`)
       }
       
-      const testData = await testResponse.json()
-      console.log('Connection test passed:', testData)
+      await testResponse.json()
     } catch (testError) {
       console.error('Connection test failed:', testError)
       throw createError({
@@ -108,23 +105,19 @@ export default defineEventHandler(async (event) => {
         email: body.email,
         helcimCustomerId: customerData.id 
       },
-      process.env.JWT_SECRET,
-      { expiresIn: '24h' }
+      config.jwtSecret,
+      { expiresIn: '7d' }
     )
 
     // Set the session cookie server-side
-    console.log('Setting auth-token cookie for member:', member.email)
-    console.log('NODE_ENV:', process.env.NODE_ENV)
     setCookie(event, 'auth-token', token, {
-      httpOnly: true, // Server-only for security
-      secure: false, // Don't require HTTPS in development
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax',
-      maxAge: 60 * 60 * 24, // 24 hours
+      maxAge: 60 * 60 * 24 * 7, // 7 days (matches verify.get.js and refresh.post.js)
       path: '/',
       domain: undefined // Let browser set domain automatically
     })
-    console.log('Cookie set successfully')
-
     return {
       success: true,
       customerId: customerData.id,
diff --git a/server/api/helcim/get-or-create-customer.post.js b/server/api/helcim/get-or-create-customer.post.js
index c842913..f294a32 100644
--- a/server/api/helcim/get-or-create-customer.post.js
+++ b/server/api/helcim/get-or-create-customer.post.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded
     try {
-      decoded = jwt.verify(token, process.env.JWT_SECRET)
+      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
     } catch (err) {
       throw createError({
         statusCode: 401,
@@ -59,7 +59,6 @@ export default defineEventHandler(async (event) => {
           const existingCustomer = searchData.customers.find(c => c.email === member.email)
 
           if (existingCustomer) {
-            console.log('Found existing Helcim customer:', existingCustomer.id)
 
             // Update member record with customer ID if not already set
             if (!member.helcimCustomerId) {
@@ -77,12 +76,11 @@ export default defineEventHandler(async (event) => {
         }
       }
     } catch (searchError) {
-      console.log('Error searching for customer:', searchError)
+      console.error('Error searching for customer:', searchError)
       // Continue to create new customer
     }
 
     // No existing customer found, create new one
-    console.log('Creating new Helcim customer for:', member.email)
     const createResponse = await fetch(`${HELCIM_API_BASE}/customers`, {
       method: 'POST',
       headers: {
@@ -107,7 +105,6 @@ export default defineEventHandler(async (event) => {
     }
 
     const customerData = await createResponse.json()
-    console.log('Created Helcim customer:', customerData.id)
 
     // Update member record with customer ID
     member.helcimCustomerId = customerData.id
diff --git a/server/api/helcim/initialize-payment.post.js b/server/api/helcim/initialize-payment.post.js
index 3987225..3888bf9 100644
--- a/server/api/helcim/initialize-payment.post.js
+++ b/server/api/helcim/initialize-payment.post.js
@@ -1,13 +1,14 @@
 // Initialize HelcimPay.js session
+import { requireAuth } from "../../utils/auth.js";
+
 const HELCIM_API_BASE = "https://api.helcim.com/v2";
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event);
     const config = useRuntimeConfig(event);
     const body = await readBody(event);
 
-    // Debug log the request body
-    console.log("Initialize payment request body:", body);
 
     const helcimToken =
       config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
@@ -43,8 +44,6 @@ export default defineEventHandler(async (event) => {
       requestBody.orderNumber = `${body.metadata.eventId}`;
     }
 
-    console.log("Helcim request body:", JSON.stringify(requestBody, null, 2));
-
     // Initialize HelcimPay.js session
     const response = await fetch(`${HELCIM_API_BASE}/helcim-pay/initialize`, {
       method: "POST",
diff --git a/server/api/helcim/plans.get.js b/server/api/helcim/plans.get.js
index e4da1ce..6b71c92 100644
--- a/server/api/helcim/plans.get.js
+++ b/server/api/helcim/plans.get.js
@@ -6,8 +6,6 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
-    console.log('Fetching payment plans from Helcim...')
-    
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
       method: 'GET',
       headers: {
@@ -18,17 +16,13 @@ export default defineEventHandler(async (event) => {
     
     if (!response.ok) {
       console.error('Failed to fetch payment plans:', response.status, response.statusText)
-      const errorText = await response.text()
-      console.error('Response body:', errorText)
-      
       throw createError({
         statusCode: response.status,
-        statusMessage: `Failed to fetch payment plans: ${errorText}`
+        statusMessage: 'Failed to fetch payment plans'
       })
     }
     
     const plansData = await response.json()
-    console.log('Payment plans retrieved:', JSON.stringify(plansData, null, 2))
     
     return {
       success: true,
diff --git a/server/api/helcim/subscription.post.js b/server/api/helcim/subscription.post.js
index 08cf6fa..dafacc3 100644
--- a/server/api/helcim/subscription.post.js
+++ b/server/api/helcim/subscription.post.js
@@ -3,6 +3,7 @@ import { getHelcimPlanId, requiresPayment } from '../../config/contributions.js'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
+import { requireAuth } from '../../utils/auth.js'
 
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
@@ -72,6 +73,7 @@ async function inviteToSlack(member) {
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event)
     await connectDB()
     const config = useRuntimeConfig(event)
     const body = await readBody(event)
@@ -91,11 +93,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    console.log('Subscription request body:', body)
-    
     // Check if payment is required
     if (!requiresPayment(body.contributionTier)) {
-      console.log('No payment required for tier:', body.contributionTier)
       // For free tier, just update member status
       const member = await Member.findOneAndUpdate(
         { helcimCustomerId: body.customerId },
@@ -107,8 +106,6 @@ export default defineEventHandler(async (event) => {
         { new: true }
       )
       
-      console.log('Updated member for free tier:', member)
-      
       // Send Slack invitation for free tier members
       await inviteToSlack(member)
       
@@ -119,11 +116,8 @@ export default defineEventHandler(async (event) => {
       }
     }
 
-    console.log('Payment required for tier:', body.contributionTier)
-
     // Get the Helcim plan ID
     const planId = getHelcimPlanId(body.contributionTier)
-    console.log('Plan ID for tier:', planId)
     
     // Validate card token is provided
     if (!body.cardToken) {
@@ -135,8 +129,6 @@ export default defineEventHandler(async (event) => {
 
     // Check if we have a configured plan for this tier
     if (!planId) {
-      console.log('No Helcim plan configured for tier:', body.contributionTier)
-      
       const member = await Member.findOneAndUpdate(
         { helcimCustomerId: body.customerId },
         { 
@@ -168,8 +160,6 @@ export default defineEventHandler(async (event) => {
     // Try to create subscription in Helcim
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
-    console.log('Attempting to create Helcim subscription with plan ID:', planId)
-    
     // Generate a proper alphanumeric idempotency key (exactly 25 characters)
     const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
     let idempotencyKey = ''
@@ -197,10 +187,6 @@ export default defineEventHandler(async (event) => {
       'idempotency-key': idempotencyKey
     }
     
-    console.log('Subscription request body:', requestBody)
-    console.log('Request headers:', requestHeaders)
-    console.log('Request URL:', `${HELCIM_API_BASE}/subscriptions`)
-    
     try {
       const subscriptionResponse = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
         method: 'POST',
@@ -210,47 +196,11 @@ export default defineEventHandler(async (event) => {
       
       if (!subscriptionResponse.ok) {
         const errorText = await subscriptionResponse.text()
-        console.error('Subscription creation failed:')
-        console.error('Status:', subscriptionResponse.status)
-        console.error('Status Text:', subscriptionResponse.statusText)
-        console.error('Headers:', Object.fromEntries(subscriptionResponse.headers.entries()))
-        console.error('Response Body:', errorText)
-        console.error('Request was:', {
-          url: `${HELCIM_API_BASE}/subscriptions`,
-          method: 'POST',
-          body: requestBody,
-          headers: {
-            'accept': 'application/json',
-            'content-type': 'application/json',
-            'api-token': helcimToken ? 'present' : 'missing'
-          }
-        })
+        console.error('Subscription creation failed:', subscriptionResponse.status)
         
         // If it's a validation error, let's try to get more info about available plans
         if (subscriptionResponse.status === 400 || subscriptionResponse.status === 404) {
-          console.log('Plan might not exist. Trying to get list of available payment plans...')
-          
-          // Try to fetch available payment plans
-          try {
-            const plansResponse = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
-              method: 'GET',
-              headers: {
-                'accept': 'application/json',
-                'api-token': helcimToken
-              }
-            })
-            
-            if (plansResponse.ok) {
-              const plansData = await plansResponse.json()
-              console.log('Available payment plans:', JSON.stringify(plansData, null, 2))
-            } else {
-              console.log('Could not fetch payment plans:', plansResponse.status, plansResponse.statusText)
-            }
-          } catch (planError) {
-            console.log('Error fetching payment plans:', planError.message)
-          }
-          
-          // For now, just update member status and let user know we need to configure plans
+          // Plan might not exist -- update member status and proceed
           const member = await Member.findOneAndUpdate(
             { helcimCustomerId: body.customerId },
             { 
@@ -287,7 +237,6 @@ export default defineEventHandler(async (event) => {
       }
       
       const subscriptionData = await subscriptionResponse.json()
-      console.log('Subscription created successfully:', subscriptionData)
 
       // Extract the first subscription from the response array
       const subscription = subscriptionData.data?.[0]
diff --git a/server/api/helcim/subscriptions.get.js b/server/api/helcim/subscriptions.get.js
index f103ed3..111e33d 100644
--- a/server/api/helcim/subscriptions.get.js
+++ b/server/api/helcim/subscriptions.get.js
@@ -6,8 +6,6 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
-    console.log('Fetching existing subscriptions from Helcim...')
-    
     const response = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
       method: 'GET',
       headers: {
@@ -18,17 +16,13 @@ export default defineEventHandler(async (event) => {
     
     if (!response.ok) {
       console.error('Failed to fetch subscriptions:', response.status, response.statusText)
-      const errorText = await response.text()
-      console.error('Response body:', errorText)
-      
       throw createError({
         statusCode: response.status,
-        statusMessage: `Failed to fetch subscriptions: ${errorText}`
+        statusMessage: 'Failed to fetch subscriptions'
       })
     }
     
     const subscriptionsData = await response.json()
-    console.log('Existing subscriptions:', JSON.stringify(subscriptionsData, null, 2))
     
     return {
       success: true,
diff --git a/server/api/helcim/test-connection.get.js b/server/api/helcim/test-connection.get.js
deleted file mode 100644
index c4ad093..0000000
--- a/server/api/helcim/test-connection.get.js
+++ /dev/null
@@ -1,46 +0,0 @@
-// Test Helcim API connection
-const HELCIM_API_BASE = 'https://api.helcim.com/v2'
-
-export default defineEventHandler(async (event) => {
-  try {
-    const config = useRuntimeConfig(event)
-    
-    // Log token info (safely)
-    const tokenInfo = {
-      hasToken: !!config.public.helcimToken,
-      tokenLength: config.public.helcimToken ? config.public.helcimToken.length : 0,
-      tokenPrefix: config.public.helcimToken ? config.public.helcimToken.substring(0, 10) : null
-    }
-    
-    console.log('Helcim Token Info:', tokenInfo)
-    
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
-    
-    // Try connection test endpoint
-    const response = await $fetch(`${HELCIM_API_BASE}/connection-test`, {
-      method: 'GET',
-      headers: {
-        'accept': 'application/json',
-        'api-token': helcimToken
-      }
-    })
-    
-    return {
-      success: true,
-      message: 'Helcim API connection successful',
-      tokenInfo,
-      connectionResponse: response
-    }
-  } catch (error) {
-    console.error('Helcim test error:', error)
-    return {
-      success: false,
-      message: error.message || 'Failed to connect to Helcim API',
-      statusCode: error.statusCode,
-      tokenInfo: {
-        hasToken: !!useRuntimeConfig().public.helcimToken,
-        tokenLength: useRuntimeConfig().public.helcimToken ? useRuntimeConfig().public.helcimToken.length : 0
-      }
-    }
-  }
-})
\ No newline at end of file
diff --git a/server/api/helcim/test-subscription.get.js b/server/api/helcim/test-subscription.get.js
deleted file mode 100644
index ff8b5e6..0000000
--- a/server/api/helcim/test-subscription.get.js
+++ /dev/null
@@ -1,77 +0,0 @@
-// Test minimal subscription creation to understand required fields
-const HELCIM_API_BASE = 'https://api.helcim.com/v2'
-
-export default defineEventHandler(async (event) => {
-  try {
-    const config = useRuntimeConfig(event)
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
-    
-    // Generate a 25-character idempotency key
-    const idempotencyKey = `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`.substring(0, 25)
-    
-    // Test with minimal fields first
-    const testRequest1 = {
-      customerCode: 'CST1020', // Use a recent customer code
-      planId: 20162
-    }
-    
-    console.log('Testing subscription with minimal fields:', testRequest1)
-    
-    try {
-      const response1 = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
-        method: 'POST',
-        headers: {
-          'accept': 'application/json',
-          'content-type': 'application/json',
-          'api-token': helcimToken,
-          'idempotency-key': idempotencyKey + 'a'
-        },
-        body: JSON.stringify(testRequest1)
-      })
-      
-      const result1 = await response1.text()
-      console.log('Test 1 - Status:', response1.status)
-      console.log('Test 1 - Response:', result1)
-      
-      if (!response1.ok) {
-        // Try with paymentPlanId instead
-        const testRequest2 = {
-          customerCode: 'CST1020',
-          paymentPlanId: 20162
-        }
-        
-        console.log('Testing subscription with paymentPlanId:', testRequest2)
-        
-        const response2 = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
-          method: 'POST',
-          headers: {
-            'accept': 'application/json',
-            'content-type': 'application/json',
-            'api-token': helcimToken,
-            'idempotency-key': idempotencyKey + 'b'
-          },
-          body: JSON.stringify(testRequest2)
-        })
-        
-        const result2 = await response2.text()
-        console.log('Test 2 - Status:', response2.status)
-        console.log('Test 2 - Response:', result2)
-      }
-      
-    } catch (error) {
-      console.error('Test error:', error)
-    }
-    
-    return {
-      success: true,
-      message: 'Check server logs for test results'
-    }
-    
-  } catch (error) {
-    console.error('Error in test endpoint:', error)
-    throw createError({
-      statusCode: 500,
-      statusMessage: error.message
-    })
-  }
-})
\ No newline at end of file
diff --git a/server/api/helcim/update-billing.post.js b/server/api/helcim/update-billing.post.js
index 0c1a367..e1199b6 100644
--- a/server/api/helcim/update-billing.post.js
+++ b/server/api/helcim/update-billing.post.js
@@ -1,8 +1,11 @@
 // Update customer billing address
+import { requireAuth } from '../../utils/auth.js'
+
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event)
     const config = useRuntimeConfig(event)
     const body = await readBody(event)
     
diff --git a/server/api/helcim/verify-payment.post.js b/server/api/helcim/verify-payment.post.js
index d975ee4..16fc074 100644
--- a/server/api/helcim/verify-payment.post.js
+++ b/server/api/helcim/verify-payment.post.js
@@ -1,38 +1,67 @@
 // Verify payment token from HelcimPay.js
+import { requireAuth } from '../../utils/auth.js'
+import { validateBody } from '../../utils/validateBody.js'
+import { paymentVerifySchema } from '../../utils/schemas.js'
+
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event)
     const config = useRuntimeConfig(event)
-    const body = await readBody(event)
-    
-    // Validate required fields
-    if (!body.cardToken || !body.customerId) {
+    const body = await validateBody(event, paymentVerifySchema)
+
+    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+
+    if (!helcimToken) {
       throw createError({
-        statusCode: 400,
-        statusMessage: 'Card token and customer ID are required'
+        statusCode: 500,
+        statusMessage: 'Helcim API token not configured'
       })
     }
 
-    console.log('Payment verification request:', {
-      customerId: body.customerId,
-      cardToken: body.cardToken ? 'present' : 'missing'
+    // Verify the card token by fetching the customer's cards from Helcim
+    const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}/cards`, {
+      method: 'GET',
+      headers: {
+        'accept': 'application/json',
+        'api-token': helcimToken
+      }
     })
 
-    // Since HelcimPay.js already verified the payment and we have the card token,
-    // we can just return success. The card is already associated with the customer.
-    console.log('Payment already verified through HelcimPay.js, returning success')
-    
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('Payment verification failed:', response.status, errorText)
+      throw createError({
+        statusCode: 502,
+        statusMessage: 'Payment verification failed with Helcim'
+      })
+    }
+
+    const cards = await response.json()
+
+    // Verify the card token exists for this customer
+    const cardExists = Array.isArray(cards) && cards.some(card =>
+      card.cardToken === body.cardToken
+    )
+
+    if (!cardExists) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Payment method not found or does not belong to this customer'
+      })
+    }
+
     return {
       success: true,
       cardToken: body.cardToken,
-      message: 'Payment verified successfully through HelcimPay.js'
+      message: 'Payment verified with Helcim'
     }
   } catch (error) {
     console.error('Error verifying payment:', error)
     throw createError({
       statusCode: error.statusCode || 500,
-      statusMessage: error.message || 'Failed to verify payment'
+      statusMessage: error.statusMessage || 'Failed to verify payment'
     })
   }
-})
\ No newline at end of file
+})
diff --git a/server/api/members/cancel-subscription.post.js b/server/api/members/cancel-subscription.post.js
index 955bf59..34e82cb 100644
--- a/server/api/members/cancel-subscription.post.js
+++ b/server/api/members/cancel-subscription.post.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded;
     try {
-      decoded = jwt.verify(token, process.env.JWT_SECRET);
+      decoded = jwt.verify(token, config.jwtSecret);
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/members/create.post.js b/server/api/members/create.post.js
index 1ed831c..b9ae293 100644
--- a/server/api/members/create.post.js
+++ b/server/api/members/create.post.js
@@ -2,6 +2,8 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
+import { validateBody } from '../../utils/validateBody.js'
+import { memberCreateSchema } from '../../utils/schemas.js'
 // Simple payment check function to avoid import issues
 const requiresPayment = (contributionValue) => contributionValue !== '0'
 
@@ -14,7 +16,7 @@ async function inviteToSlack(member) {
       return
     }
 
-    console.log(`Processing Slack invitation for ${member.email}...`)
+    console.warn(`Processing Slack invitation for member`)
     
     const inviteResult = await slackService.inviteUserToSlack(
       member.email,
@@ -45,13 +47,13 @@ async function inviteToSlack(member) {
         inviteResult.status
       )
       
-      console.log(`Successfully processed Slack invitation for ${member.email}: ${inviteResult.status}`)
+      console.warn(`Slack invitation processed: ${inviteResult.status}`)
     } else {
       // Update member record to reflect failed invitation
       member.slackInviteStatus = 'failed'
       await member.save()
       
-      console.error(`Failed to process Slack invitation for ${member.email}: ${inviteResult.error}`)
+      console.error(`Failed to process Slack invitation: ${inviteResult.error}`)
       // Don't throw error - member creation should still succeed
     }
   } catch (error) {
@@ -73,32 +75,30 @@ export default defineEventHandler(async (event) => {
   // Ensure database is connected
   await connectDB()
   
-  const body = await readBody(event)
-  
+  const validatedData = await validateBody(event, memberCreateSchema)
+
   try {
     // Check if member already exists
-    const existingMember = await Member.findOne({ email: body.email })
+    const existingMember = await Member.findOne({ email: validatedData.email })
     if (existingMember) {
-      throw createError({ 
-        statusCode: 409, 
-        statusMessage: 'A member with this email already exists' 
+      throw createError({
+        statusCode: 409,
+        statusMessage: 'A member with this email already exists'
       })
     }
-    
-    const member = new Member(body)
+
+    const member = new Member(validatedData)
     await member.save()
     
     // Send Slack invitation for new members
     await inviteToSlack(member)
     
     // TODO: Process payment with Helcim if not free tier
-    if (requiresPayment(body.contributionTier)) {
+    if (requiresPayment(validatedData.contributionTier)) {
       // Payment processing will be added here
-      console.log('Payment processing needed for tier:', body.contributionTier)
     }
-    
+
     // TODO: Send welcome email
-    console.log('Welcome email should be sent to:', body.email)
     
     return { success: true, member }
   } catch (error) {
diff --git a/server/api/members/directory.get.js b/server/api/members/directory.get.js
index 70c614e..3598647 100644
--- a/server/api/members/directory.get.js
+++ b/server/api/members/directory.get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
 
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       currentMemberId = decoded.memberId;
       isAuthenticated = true;
     } catch (err) {
@@ -46,9 +46,11 @@ export default defineEventHandler(async (event) => {
 
   // Search by name or bio
   if (search) {
+    // Escape special regex characters to prevent ReDoS
+    const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
     dbQuery.$or = [
-      { name: { $regex: search, $options: "i" } },
-      { bio: { $regex: search, $options: "i" } },
+      { name: { $regex: escaped, $options: "i" } },
+      { bio: { $regex: escaped, $options: "i" } },
     ];
   }
 
@@ -60,11 +62,12 @@ export default defineEventHandler(async (event) => {
     ];
     // If search is also present, combine with AND
     if (search) {
+      const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
       dbQuery.$and = [
         {
           $or: [
-            { name: { $regex: search, $options: "i" } },
-            { bio: { $regex: search, $options: "i" } },
+            { name: { $regex: escaped, $options: "i" } },
+            { bio: { $regex: escaped, $options: "i" } },
           ],
         },
         {
diff --git a/server/api/members/me/peer-support.patch.js b/server/api/members/me/peer-support.patch.js
index e9b9887..b130346 100644
--- a/server/api/members/me/peer-support.patch.js
+++ b/server/api/members/me/peer-support.patch.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/members/profile.patch.js b/server/api/members/profile.patch.js
index 67eb598..bd396d6 100644
--- a/server/api/members/profile.patch.js
+++ b/server/api/members/profile.patch.js
@@ -1,34 +1,16 @@
-import jwt from "jsonwebtoken";
 import Member from "../../models/member.js";
-import { connectDB } from "../../utils/mongoose.js";
+import { requireAuth } from "../../utils/auth.js";
+import { validateBody } from "../../utils/validateBody.js";
+import { memberProfileUpdateSchema } from "../../utils/schemas.js";
 
 export default defineEventHandler(async (event) => {
-  await connectDB();
+  const authedMember = await requireAuth(event);
+  const memberId = authedMember._id;
 
-  const token = getCookie(event, "auth-token");
+  const body = await validateBody(event, memberProfileUpdateSchema);
 
-  if (!token) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Not authenticated",
-    });
-  }
-
-  let memberId;
-  try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
-    memberId = decoded.memberId;
-  } catch (err) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Invalid or expired token",
-    });
-  }
-
-  const body = await readBody(event);
-
-  // Define allowed profile fields
-  const allowedFields = [
+  // Profile fields from validated body
+  const profileFields = [
     "pronouns",
     "timeZone",
     "avatar",
@@ -37,10 +19,9 @@ export default defineEventHandler(async (event) => {
     "location",
     "socialLinks",
     "showInDirectory",
-    "helcimCustomerId",
   ];
 
-  // Define privacy fields
+  // Privacy fields from validated body
   const privacyFields = [
     "pronounsPrivacy",
     "timeZonePrivacy",
@@ -53,10 +34,10 @@ export default defineEventHandler(async (event) => {
     "lookingForPrivacy",
   ];
 
-  // Build update object
+  // Build update object from validated data
   const updateData = {};
 
-  allowedFields.forEach((field) => {
+  profileFields.forEach((field) => {
     if (body[field] !== undefined) {
       updateData[field] = body[field];
     }
@@ -94,7 +75,7 @@ export default defineEventHandler(async (event) => {
     if (!member) {
       throw createError({
         statusCode: 404,
-        message: "Member not found",
+        statusMessage: "Member not found",
       });
     }
 
@@ -117,10 +98,11 @@ export default defineEventHandler(async (event) => {
       showInDirectory: member.showInDirectory,
     };
   } catch (error) {
+    if (error.statusCode) throw error;
     console.error("Profile update error:", error);
     throw createError({
       statusCode: 500,
-      message: "Failed to update profile",
+      statusMessage: "Failed to update profile",
     });
   }
 });
diff --git a/server/api/members/update-contribution.post.js b/server/api/members/update-contribution.post.js
index 7ff8736..6749880 100644
--- a/server/api/members/update-contribution.post.js
+++ b/server/api/members/update-contribution.post.js
@@ -27,7 +27,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded;
     try {
-      decoded = jwt.verify(token, process.env.JWT_SECRET);
+      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/peer-support.get.js b/server/api/peer-support.get.js
index 04c5977..e99f68c 100644
--- a/server/api/peer-support.get.js
+++ b/server/api/peer-support.get.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
 
   if (token) {
     try {
-      jwt.verify(token, process.env.JWT_SECRET);
+      jwt.verify(token, useRuntimeConfig().jwtSecret);
       isAuthenticated = true;
     } catch (err) {
       isAuthenticated = false;
diff --git a/server/api/slack/test-bot.get.ts b/server/api/slack/test-bot.get.ts
deleted file mode 100644
index 65b8ba5..0000000
--- a/server/api/slack/test-bot.get.ts
+++ /dev/null
@@ -1,68 +0,0 @@
-import { WebClient } from '@slack/web-api'
-
-export default defineEventHandler(async (event) => {
-  const config = useRuntimeConfig()
-  
-  if (!config.slackBotToken) {
-    return {
-      success: false,
-      error: 'Slack bot token not configured'
-    }
-  }
-
-  const client = new WebClient(config.slackBotToken)
-
-  try {
-    // Test basic API access
-    const authTest = await client.auth.test()
-    console.log('Auth test result:', authTest)
-
-    // Test if admin API is available
-    let adminApiAvailable = false
-    let adminError = null
-    
-    try {
-      // Try to call admin.users.list to test admin API access
-      await client.admin.users.list({ limit: 1 })
-      adminApiAvailable = true
-    } catch (error: any) {
-      adminError = error.data?.error || error.message
-      console.log('Admin API test failed:', adminError)
-    }
-
-    // Test channel access if channel ID is configured
-    let channelAccess = false
-    let channelError = null
-    
-    if (config.slackVettingChannelId) {
-      try {
-        const channelInfo = await client.conversations.info({
-          channel: config.slackVettingChannelId
-        })
-        channelAccess = !!channelInfo.channel
-      } catch (error: any) {
-        channelError = error.data?.error || error.message
-      }
-    }
-
-    return {
-      success: true,
-      botInfo: {
-        user: authTest.user,
-        team: authTest.team,
-        url: authTest.url
-      },
-      adminApiAvailable,
-      adminError: adminApiAvailable ? null : adminError,
-      channelAccess,
-      channelError: channelAccess ? null : channelError,
-      channelId: config.slackVettingChannelId || 'Not configured'
-    }
-
-  } catch (error: any) {
-    return {
-      success: false,
-      error: error.data?.error || error.message || 'Unknown error'
-    }
-  }
-})
\ No newline at end of file
diff --git a/server/api/test/peer-support-debug.get.js b/server/api/test/peer-support-debug.get.js
index 09c169d..4073cb2 100644
--- a/server/api/test/peer-support-debug.get.js
+++ b/server/api/test/peer-support-debug.get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({ statusCode: 401, statusMessage: "Invalid token" });
diff --git a/server/api/updates/[id].delete.js b/server/api/updates/[id].delete.js
index ed7dda2..aeedd95 100644
--- a/server/api/updates/[id].delete.js
+++ b/server/api/updates/[id].delete.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/[id].get.js b/server/api/updates/[id].get.js
index 6dda80f..d17ecaf 100644
--- a/server/api/updates/[id].get.js
+++ b/server/api/updates/[id].get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/updates/[id].patch.js b/server/api/updates/[id].patch.js
index fcd5e5c..a1cf726 100644
--- a/server/api/updates/[id].patch.js
+++ b/server/api/updates/[id].patch.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/index.get.js b/server/api/updates/index.get.js
index 2cb28fb..f6f5d90 100644
--- a/server/api/updates/index.get.js
+++ b/server/api/updates/index.get.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/updates/index.post.js b/server/api/updates/index.post.js
index 97d659a..8f1e330 100644
--- a/server/api/updates/index.post.js
+++ b/server/api/updates/index.post.js
@@ -1,6 +1,8 @@
 import jwt from "jsonwebtoken";
 import Update from "../../models/update.js";
 import { connectDB } from "../../utils/mongoose.js";
+import { validateBody } from "../../utils/validateBody.js";
+import { updateCreateSchema } from "../../utils/schemas.js";
 
 export default defineEventHandler(async (event) => {
   await connectDB();
@@ -16,7 +18,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
@@ -25,14 +27,7 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const body = await readBody(event);
-
-  if (!body.content || !body.content.trim()) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Content is required",
-    });
-  }
+  const body = await validateBody(event, updateCreateSchema);
 
   try {
     const update = await Update.create({
@@ -48,6 +43,7 @@ export default defineEventHandler(async (event) => {
 
     return update;
   } catch (error) {
+    if (error.statusCode) throw error;
     console.error("Create update error:", error);
     throw createError({
       statusCode: 500,
diff --git a/server/api/updates/my-updates.get.js b/server/api/updates/my-updates.get.js
index 60e6da5..084d787 100644
--- a/server/api/updates/my-updates.get.js
+++ b/server/api/updates/my-updates.get.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/user/[id].get.js b/server/api/updates/user/[id].get.js
index 7eee274..d5de64a 100644
--- a/server/api/updates/user/[id].get.js
+++ b/server/api/updates/user/[id].get.js
@@ -13,7 +13,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, process.env.JWT_SECRET);
+      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
       currentMemberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/upload/image.post.js b/server/api/upload/image.post.js
index b9fb9d5..9842fa2 100644
--- a/server/api/upload/image.post.js
+++ b/server/api/upload/image.post.js
@@ -1,4 +1,5 @@
 import { v2 as cloudinary } from 'cloudinary'
+import { requireAuth } from '../../utils/auth.js'
 
 // Configure Cloudinary
 cloudinary.config({
@@ -9,6 +10,7 @@ cloudinary.config({
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event)
     // Parse the multipart form data
     const formData = await readMultipartFormData(event)
     
@@ -37,6 +39,15 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Validate file size (10MB limit)
+    const maxSize = 10 * 1024 * 1024
+    if (fileData.data.length > maxSize) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'File too large. Maximum size is 10MB.'
+      })
+    }
+
     // Convert buffer to base64 for Cloudinary upload
     const base64File = `data:${fileData.type};base64,${fileData.data.toString('base64')}`
 
diff --git a/server/middleware/01.csrf.js b/server/middleware/01.csrf.js
new file mode 100644
index 0000000..3f3e841
--- /dev/null
+++ b/server/middleware/01.csrf.js
@@ -0,0 +1,47 @@
+import crypto from 'crypto'
+
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
+
+// Routes exempt from CSRF (external webhooks, magic link verify)
+const EXEMPT_PREFIXES = [
+  '/api/helcim/webhook',
+  '/api/slack/webhook',
+  '/api/auth/verify',
+  '/oidc/',
+]
+
+function isExempt(path) {
+  return EXEMPT_PREFIXES.some(prefix => path.startsWith(prefix))
+}
+
+export default defineEventHandler((event) => {
+  const method = getMethod(event)
+  const path = getRequestURL(event).pathname
+
+  // Always set a CSRF token cookie if one doesn't exist
+  let csrfToken = getCookie(event, 'csrf-token')
+  if (!csrfToken) {
+    csrfToken = crypto.randomBytes(32).toString('hex')
+    setCookie(event, 'csrf-token', csrfToken, {
+      httpOnly: false, // Must be readable by JS to include in requests
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      path: '/'
+    })
+  }
+
+  // Only check state-changing methods
+  if (SAFE_METHODS.has(method)) return
+  if (!path.startsWith('/api/')) return
+  if (isExempt(path)) return
+
+  // Double-submit cookie check: header must match cookie
+  const headerToken = getHeader(event, 'x-csrf-token')
+
+  if (!headerToken || headerToken !== csrfToken) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'CSRF token missing or invalid'
+    })
+  }
+})
diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
new file mode 100644
index 0000000..f29ce86
--- /dev/null
+++ b/server/middleware/02.security-headers.js
@@ -0,0 +1,30 @@
+export default defineEventHandler((event) => {
+  const headers = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '0',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
+  }
+
+  if (process.env.NODE_ENV === 'production') {
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
+
+    // CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
+    headers['Content-Security-Policy'] = [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
+      "font-src 'self'",
+      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
+      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+      "base-uri 'self'",
+      "form-action 'self'",
+    ].join('; ')
+  }
+
+  for (const [key, value] of Object.entries(headers)) {
+    setHeader(event, key, value)
+  }
+})
diff --git a/server/middleware/03.rate-limit.js b/server/middleware/03.rate-limit.js
new file mode 100644
index 0000000..2641598
--- /dev/null
+++ b/server/middleware/03.rate-limit.js
@@ -0,0 +1,65 @@
+import { RateLimiterMemory } from 'rate-limiter-flexible'
+
+// Strict rate limit for auth endpoints
+const authLimiter = new RateLimiterMemory({
+  points: 5,     // 5 requests
+  duration: 300, // per 5 minutes
+  keyPrefix: 'rl_auth'
+})
+
+// Moderate rate limit for payment endpoints
+const paymentLimiter = new RateLimiterMemory({
+  points: 10,
+  duration: 60,
+  keyPrefix: 'rl_payment'
+})
+
+// Light rate limit for upload endpoints
+const uploadLimiter = new RateLimiterMemory({
+  points: 10,
+  duration: 60,
+  keyPrefix: 'rl_upload'
+})
+
+// General API rate limit
+const generalLimiter = new RateLimiterMemory({
+  points: 100,
+  duration: 60,
+  keyPrefix: 'rl_general'
+})
+
+function getClientIp(event) {
+  return getHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
+    || getHeader(event, 'x-real-ip')
+    || event.node.req.socket.remoteAddress
+    || 'unknown'
+}
+
+const AUTH_PATHS = new Set(['/api/auth/login'])
+const PAYMENT_PREFIXES = ['/api/helcim/']
+const UPLOAD_PATHS = new Set(['/api/upload/image'])
+
+export default defineEventHandler(async (event) => {
+  const path = getRequestURL(event).pathname
+  if (!path.startsWith('/api/')) return
+
+  const ip = getClientIp(event)
+
+  try {
+    if (AUTH_PATHS.has(path)) {
+      await authLimiter.consume(ip)
+    } else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
+      await paymentLimiter.consume(ip)
+    } else if (UPLOAD_PATHS.has(path)) {
+      await uploadLimiter.consume(ip)
+    } else {
+      await generalLimiter.consume(ip)
+    }
+  } catch (rateLimiterRes) {
+    setHeader(event, 'Retry-After', Math.ceil(rateLimiterRes.msBeforeNext / 1000))
+    throw createError({
+      statusCode: 429,
+      statusMessage: 'Too many requests. Please try again later.'
+    })
+  }
+})
diff --git a/server/models/member.js b/server/models/member.js
index 7dcdad0..aa00bf2 100644
--- a/server/models/member.js
+++ b/server/models/member.js
@@ -22,6 +22,11 @@ const memberSchema = new mongoose.Schema({
     enum: getValidContributionValues(),
     required: true,
   },
+  role: {
+    type: String,
+    enum: ["member", "admin"],
+    default: "member",
+  },
   status: {
     type: String,
     enum: ["pending_payment", "active", "suspended", "cancelled"],
diff --git a/server/plugins/validate-env.js b/server/plugins/validate-env.js
new file mode 100644
index 0000000..886ae6e
--- /dev/null
+++ b/server/plugins/validate-env.js
@@ -0,0 +1,9 @@
+export default defineNitroPlugin(() => {
+  const config = useRuntimeConfig()
+
+  if (!config.jwtSecret) {
+    console.error('FATAL: JWT_SECRET environment variable is not set. Server cannot start without it.')
+    console.error('Set JWT_SECRET in your .env file or environment variables.')
+    process.exit(1)
+  }
+})
diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts
new file mode 100644
index 0000000..8afa4af
--- /dev/null
+++ b/server/routes/.well-known/openid-configuration.get.ts
@@ -0,0 +1,27 @@
+/**
+ * Forward /.well-known/openid-configuration to the oidc-provider.
+ *
+ * The provider generates this discovery document automatically, but since the
+ * catch-all route is mounted under /oidc/, requests to /.well-known/ need
+ * explicit forwarding.
+ */
+import { getOidcProvider } from "../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const provider = await getOidcProvider();
+  const { req, res } = event.node;
+
+  // The provider expects the path relative to its root
+  req.url = "/.well-known/openid-configuration";
+
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
+
+  const callback = provider.callback() as Function;
+  await new Promise<void>((resolve, reject) => {
+    callback(req, res, (err: unknown) => {
+      if (err) reject(err);
+      else resolve();
+    });
+  });
+});
diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
new file mode 100644
index 0000000..39528f0
--- /dev/null
+++ b/server/routes/oidc/[...].ts
@@ -0,0 +1,31 @@
+/**
+ * Catch-all route that delegates all /oidc/* requests to the oidc-provider.
+ *
+ * This exposes the standard OIDC endpoints:
+ *   /oidc/auth          — authorization
+ *   /oidc/token         — token exchange
+ *   /oidc/me            — userinfo
+ *   /oidc/session/end   — logout
+ *   /oidc/jwks          — JSON Web Key Set
+ */
+import { getOidcProvider } from "../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const provider = await getOidcProvider();
+  const { req, res } = event.node;
+
+  // The provider's routes config includes the /oidc prefix,
+  // so pass the full path through without stripping.
+
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
+
+  // Hand off to oidc-provider's Connect-style callback
+  const callback = provider.callback() as Function;
+  await new Promise<void>((resolve, reject) => {
+    callback(req, res, (err: unknown) => {
+      if (err) reject(err);
+      else resolve();
+    });
+  });
+});
diff --git a/server/routes/oidc/interaction/[uid].get.ts b/server/routes/oidc/interaction/[uid].get.ts
new file mode 100644
index 0000000..ad6ad5a
--- /dev/null
+++ b/server/routes/oidc/interaction/[uid].get.ts
@@ -0,0 +1,94 @@
+/**
+ * OIDC interaction handler — checks for an existing Ghost Guild session.
+ *
+ * Flow:
+ * 1. Outline redirects user to /oidc/auth
+ * 2. oidc-provider creates an interaction and redirects here
+ * 3. If the user has a valid auth-token cookie → complete the interaction (SSO)
+ * 4. Otherwise → redirect to the OIDC login page
+ */
+import jwt from "jsonwebtoken";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+import { getOidcProvider } from "../../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const provider = await getOidcProvider();
+  const uid = getRouterParam(event, "uid")!;
+
+  // Load the interaction details from oidc-provider
+  const interactionDetails = await provider.interactionDetails(
+    event.node.req,
+    event.node.res
+  );
+  const { prompt } = interactionDetails;
+
+  // ----- Login prompt -----
+  if (prompt.name === "login") {
+    // Check for existing Ghost Guild session
+    const token = getCookie(event, "auth-token");
+
+    if (token) {
+      try {
+        const config = useRuntimeConfig();
+        const decoded = jwt.verify(token, config.jwtSecret) as {
+          memberId: string;
+        };
+
+        await connectDB();
+        const member = await (Member as any).findById(decoded.memberId);
+
+        if (
+          member &&
+          member.status !== "suspended" &&
+          member.status !== "cancelled"
+        ) {
+          // Auto-complete the login interaction (SSO)
+          const result = {
+            login: { accountId: member._id.toString() },
+          };
+          await provider.interactionFinished(
+            event.node.req,
+            event.node.res,
+            result,
+            { mergeWithLastSubmission: false }
+          );
+          return;
+        }
+      } catch {
+        // Token invalid — fall through to login page
+      }
+    }
+
+    // No valid session — redirect to login page
+    return sendRedirect(event, `/oidc/login?uid=${uid}`, 302);
+  }
+
+  // ----- Consent prompt -----
+  if (prompt.name === "consent") {
+    // Auto-approve consent for our first-party client
+    const grant = interactionDetails.grantId
+      ? await provider.Grant.find(interactionDetails.grantId)
+      : new provider.Grant({
+          accountId: interactionDetails.session!.accountId,
+          clientId: interactionDetails.params.client_id as string,
+        });
+
+    if (grant) {
+      grant.addOIDCScope("openid profile email");
+      await grant.save();
+
+      const result = { consent: { grantId: grant.jti } };
+      await provider.interactionFinished(
+        event.node.req,
+        event.node.res,
+        result,
+        { mergeWithLastSubmission: true }
+      );
+      return;
+    }
+  }
+
+  // Fallback — shouldn't reach here normally
+  throw createError({ statusCode: 400, statusMessage: "Unknown interaction" });
+});
diff --git a/server/routes/oidc/interaction/login.post.ts b/server/routes/oidc/interaction/login.post.ts
new file mode 100644
index 0000000..d342dbc
--- /dev/null
+++ b/server/routes/oidc/interaction/login.post.ts
@@ -0,0 +1,81 @@
+/**
+ * Handle magic link login request during OIDC interaction flow.
+ *
+ * POST /oidc/interaction/login
+ * Body: { email: string, uid: string }
+ *
+ * Sends a magic link email. The link includes the OIDC interaction uid so the
+ * verify step can complete the interaction after authenticating.
+ */
+import jwt from "jsonwebtoken";
+import { Resend } from "resend";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export default defineEventHandler(async (event) => {
+  await connectDB();
+
+  const body = await readBody(event);
+  const email = body?.email?.trim()?.toLowerCase();
+  const uid = body?.uid;
+
+  if (!email || !uid) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Email and interaction uid are required",
+    });
+  }
+
+  const GENERIC_MESSAGE =
+    "If this email is registered, we've sent a login link.";
+
+  const member = await (Member as any).findOne({ email });
+  if (!member) {
+    return { success: true, message: GENERIC_MESSAGE };
+  }
+
+  const config = useRuntimeConfig(event);
+  const token = jwt.sign(
+    { memberId: member._id, oidcUid: uid },
+    config.jwtSecret,
+    { expiresIn: "15m" }
+  );
+
+  const headers = getHeaders(event);
+  const baseUrl =
+    process.env.BASE_URL ||
+    `${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
+
+  try {
+    await resend.emails.send({
+      from: "Ghost Guild <ghostguild@babyghosts.org>",
+      to: email,
+      subject: "Sign in to Ghost Guild Wiki",
+      html: `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <h2 style="color: #2563eb;">Sign in to the Ghost Guild Wiki</h2>
+          <p>Click the button below to sign in:</p>
+          <div style="text-align: center; margin: 30px 0;">
+            <a href="${baseUrl}/oidc/interaction/verify?token=${token}"
+               style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
+              Sign In
+            </a>
+          </div>
+          <p style="color: #666; font-size: 14px;">
+            This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.
+          </p>
+        </div>
+      `,
+    });
+
+    return { success: true, message: GENERIC_MESSAGE };
+  } catch (error) {
+    console.error("Failed to send OIDC login email:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Failed to send login email. Please try again.",
+    });
+  }
+});
diff --git a/server/routes/oidc/interaction/verify.get.ts b/server/routes/oidc/interaction/verify.get.ts
new file mode 100644
index 0000000..30b447b
--- /dev/null
+++ b/server/routes/oidc/interaction/verify.get.ts
@@ -0,0 +1,75 @@
+/**
+ * Verify magic link token and complete the OIDC login interaction.
+ *
+ * GET /oidc/interaction/verify?token=...
+ *
+ * This is the endpoint the magic link email points to. It:
+ * 1. Verifies the JWT token
+ * 2. Sets the Ghost Guild session cookie (so future logins are SSO)
+ * 3. Completes the OIDC interaction so the user is redirected back to Outline
+ */
+import jwt from "jsonwebtoken";
+import Member from "../../../models/member.js";
+import { connectDB } from "../../../utils/mongoose.js";
+import { getOidcProvider } from "../../../utils/oidc-provider.js";
+
+export default defineEventHandler(async (event) => {
+  const { token } = getQuery(event);
+
+  if (!token) {
+    throw createError({ statusCode: 400, statusMessage: "Token is required" });
+  }
+
+  const config = useRuntimeConfig(event);
+
+  let decoded: { memberId: string; oidcUid: string };
+  try {
+    decoded = jwt.verify(token as string, config.jwtSecret) as typeof decoded;
+  } catch {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or expired token",
+    });
+  }
+
+  await connectDB();
+  const member = await (Member as any).findById(decoded.memberId);
+
+  if (!member) {
+    throw createError({ statusCode: 404, statusMessage: "Member not found" });
+  }
+
+  if (member.status === "suspended" || member.status === "cancelled") {
+    throw createError({
+      statusCode: 403,
+      statusMessage: `Account is ${member.status}`,
+    });
+  }
+
+  // Set Ghost Guild session cookie for future SSO
+  const sessionToken = jwt.sign(
+    { memberId: member._id, email: member.email },
+    config.jwtSecret,
+    { expiresIn: "7d" }
+  );
+
+  setCookie(event, "auth-token", sessionToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    maxAge: 60 * 60 * 24 * 7,
+  });
+
+  // Complete the OIDC interaction
+  const provider = await getOidcProvider();
+  const result = {
+    login: { accountId: member._id.toString() },
+  };
+
+  await provider.interactionFinished(
+    event.node.req,
+    event.node.res,
+    result,
+    { mergeWithLastSubmission: false }
+  );
+});
diff --git a/server/utils/auth.js b/server/utils/auth.js
new file mode 100644
index 0000000..a0cacfc
--- /dev/null
+++ b/server/utils/auth.js
@@ -0,0 +1,65 @@
+import jwt from 'jsonwebtoken'
+import Member from '../models/member.js'
+import { connectDB } from './mongoose.js'
+
+/**
+ * Verify JWT from cookie and return the decoded member.
+ * Throws 401 if token is missing or invalid.
+ */
+export async function requireAuth(event) {
+  await connectDB()
+
+  const token = getCookie(event, 'auth-token')
+
+  if (!token) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Authentication required'
+    })
+  }
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+  } catch (err) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Invalid or expired token'
+    })
+  }
+
+  const member = await Member.findById(decoded.memberId)
+
+  if (!member) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Member not found'
+    })
+  }
+
+  if (member.status === 'suspended' || member.status === 'cancelled') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Account is ' + member.status
+    })
+  }
+
+  return member
+}
+
+/**
+ * Verify JWT and require admin role.
+ * Throws 401 if not authenticated, 403 if not admin.
+ */
+export async function requireAdmin(event) {
+  const member = await requireAuth(event)
+
+  if (member.role !== 'admin') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Admin access required'
+    })
+  }
+
+  return member
+}
diff --git a/server/utils/escapeHtml.js b/server/utils/escapeHtml.js
new file mode 100644
index 0000000..d7c105d
--- /dev/null
+++ b/server/utils/escapeHtml.js
@@ -0,0 +1,18 @@
+const ESCAPE_MAP = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;'
+}
+
+const ESCAPE_RE = /[&<>"']/g
+
+/**
+ * Escape HTML special characters to prevent XSS in email templates.
+ * Returns empty string for null/undefined input.
+ */
+export function escapeHtml(str) {
+  if (str == null) return ''
+  return String(str).replace(ESCAPE_RE, (ch) => ESCAPE_MAP[ch])
+}
diff --git a/server/utils/oidc-mongodb-adapter.ts b/server/utils/oidc-mongodb-adapter.ts
new file mode 100644
index 0000000..f47f3b8
--- /dev/null
+++ b/server/utils/oidc-mongodb-adapter.ts
@@ -0,0 +1,114 @@
+/**
+ * MongoDB adapter for oidc-provider.
+ *
+ * Stores OIDC tokens, sessions, and grants in an `oidc_payloads` collection
+ * with TTL indexes for automatic cleanup. Uses the existing Mongoose connection.
+ */
+import mongoose from "mongoose";
+import { connectDB } from "./mongoose.js";
+
+const collectionName = "oidc_payloads";
+
+type MongoPayload = {
+  _id: string;
+  payload: Record<string, unknown>;
+  expiresAt?: Date;
+  userCode?: string;
+  uid?: string;
+  grantId?: string;
+};
+
+let collectionReady = false;
+
+async function getCollection() {
+  await connectDB();
+  const db = mongoose.connection.db!;
+  const col = db.collection<MongoPayload>(collectionName);
+
+  if (!collectionReady) {
+    // TTL index — MongoDB automatically removes documents after expiresAt
+    await col
+      .createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 })
+      .catch(() => {});
+    // Lookup indexes
+    await col.createIndex({ "payload.grantId": 1 }).catch(() => {});
+    await col.createIndex({ "payload.userCode": 1 }).catch(() => {});
+    await col.createIndex({ "payload.uid": 1 }).catch(() => {});
+    collectionReady = true;
+  }
+
+  return col;
+}
+
+function prefixedId(model: string, id: string) {
+  return `${model}:${id}`;
+}
+
+export class MongoAdapter {
+  model: string;
+
+  constructor(model: string) {
+    this.model = model;
+  }
+
+  async upsert(
+    id: string,
+    payload: Record<string, unknown>,
+    expiresIn: number
+  ) {
+    const col = await getCollection();
+    const expiresAt = expiresIn
+      ? new Date(Date.now() + expiresIn * 1000)
+      : undefined;
+
+    await col.updateOne(
+      { _id: prefixedId(this.model, id) as any },
+      {
+        $set: {
+          payload,
+          ...(expiresAt ? { expiresAt } : {}),
+        },
+      },
+      { upsert: true }
+    );
+  }
+
+  async find(id: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ _id: prefixedId(this.model, id) as any });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async findByUserCode(userCode: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ "payload.userCode": userCode });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async findByUid(uid: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ "payload.uid": uid });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async consume(id: string) {
+    const col = await getCollection();
+    await col.updateOne(
+      { _id: prefixedId(this.model, id) as any },
+      { $set: { "payload.consumed": Math.floor(Date.now() / 1000) } }
+    );
+  }
+
+  async destroy(id: string) {
+    const col = await getCollection();
+    await col.deleteOne({ _id: prefixedId(this.model, id) as any });
+  }
+
+  async revokeByGrantId(grantId: string) {
+    const col = await getCollection();
+    await col.deleteMany({ "payload.grantId": grantId });
+  }
+}
diff --git a/server/utils/oidc-provider.ts b/server/utils/oidc-provider.ts
new file mode 100644
index 0000000..37d5d19
--- /dev/null
+++ b/server/utils/oidc-provider.ts
@@ -0,0 +1,136 @@
+/**
+ * OIDC Provider configuration for Ghost Guild.
+ *
+ * ghostguild.org acts as the identity provider. Outline wiki is the sole
+ * relying party (client). Members authenticate via the existing magic-link
+ * flow, and the provider issues standard OIDC tokens so Outline can identify
+ * them.
+ */
+import Provider from "oidc-provider";
+import { MongoAdapter } from "./oidc-mongodb-adapter.js";
+import Member from "../models/member.js";
+import { connectDB } from "./mongoose.js";
+
+let _provider: InstanceType<typeof Provider> | null = null;
+
+export async function getOidcProvider() {
+  if (_provider) return _provider;
+
+  const config = useRuntimeConfig();
+  const issuer =
+    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
+
+  _provider = new Provider(issuer, {
+    adapter: MongoAdapter,
+
+    // Trust X-Forwarded-Proto from Traefik reverse proxy
+    proxy: true,
+
+    clients: [
+      {
+        client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
+        client_secret: process.env.OIDC_CLIENT_SECRET || "",
+        redirect_uris: [
+          "https://wiki.ghostguild.org/auth/oidc.callback",
+          // Local development callback
+          "http://localhost:3100/auth/oidc.callback",
+        ],
+        post_logout_redirect_uris: [
+          "https://wiki.ghostguild.org",
+          "http://localhost:3100",
+        ],
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "client_secret_post",
+      },
+    ],
+
+    claims: {
+      openid: ["sub"],
+      profile: ["name", "preferred_username"],
+      email: ["email", "email_verified"],
+    },
+
+    scopes: ["openid", "profile", "email", "offline_access"],
+
+    findAccount: async (_ctx: unknown, id: string) => {
+      await connectDB();
+      const member = await (Member as any).findById(id);
+      if (!member) return undefined;
+
+      return {
+        accountId: id,
+        async claims(_use: string, _scope: string) {
+          return {
+            sub: id,
+            name: member.name,
+            preferred_username: member.name,
+            email: member.email,
+            email_verified: true,
+          };
+        },
+      };
+    },
+
+    cookies: {
+      keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
+    },
+
+    ttl: {
+      AccessToken: 3600, // 1 hour
+      AuthorizationCode: 600, // 10 minutes
+      RefreshToken: 14 * 24 * 60 * 60, // 14 days
+      Session: 14 * 24 * 60 * 60, // 14 days
+      Interaction: 600, // 10 minutes
+      Grant: 14 * 24 * 60 * 60, // 14 days
+    },
+
+    features: {
+      devInteractions: {
+        enabled: process.env.NODE_ENV !== "production",
+      },
+      revocation: { enabled: true },
+      rpInitiatedLogout: { enabled: true },
+    },
+
+    // Mount all OIDC endpoints under /oidc prefix
+    routes: {
+      authorization: "/oidc/auth",
+      backchannel_authentication: "/oidc/backchannel",
+      code_verification: "/oidc/device",
+      device_authorization: "/oidc/device/auth",
+      end_session: "/oidc/session/end",
+      introspection: "/oidc/token/introspection",
+      jwks: "/oidc/jwks",
+      pushed_authorization_request: "/oidc/request",
+      registration: "/oidc/reg",
+      revocation: "/oidc/token/revocation",
+      token: "/oidc/token",
+      userinfo: "/oidc/me",
+    },
+
+    interactions: {
+      url(_ctx: unknown, interaction: { uid: string }) {
+        return `/oidc/interaction/${interaction.uid}`;
+      },
+    },
+
+    // Allow Outline to use PKCE but don't require it
+    pkce: {
+      required: () => false,
+    },
+
+    // Skip consent for our first-party Outline client
+    loadExistingGrant: async (ctx: any) => {
+      const grant = new (ctx.oidc.provider.Grant as any)({
+        accountId: ctx.oidc.session!.accountId,
+        clientId: ctx.oidc.client!.clientId,
+      });
+      grant.addOIDCScope("openid profile email");
+      await grant.save();
+      return grant;
+    },
+  });
+
+  return _provider;
+}
diff --git a/server/utils/resend.js b/server/utils/resend.js
index 9317328..5f0b179 100644
--- a/server/utils/resend.js
+++ b/server/utils/resend.js
@@ -1,4 +1,5 @@
 import { Resend } from "resend";
+import { escapeHtml } from "./escapeHtml.js";
 
 const resend = new Resend(process.env.RESEND_API_KEY);
 
@@ -33,7 +34,7 @@ export async function sendEventRegistrationEmail(registration, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@babyghosts.org>",
       to: [registration.email],
-      subject: `You're registered for ${eventData.title}`,
+      subject: `You're registered for ${escapeHtml(eventData.title)}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -105,9 +106,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${registration.name},</p>
+              <p>Hi ${escapeHtml(registration.name)},</p>
 
-              <p>Thank you for registering for <strong>${eventData.title}</strong>!</p>
+              <p>Thank you for registering for <strong>${escapeHtml(eventData.title)}</strong>!</p>
 
               <div class="event-details">
                 <div class="detail-row">
@@ -122,11 +123,11 @@ export async function sendEventRegistrationEmail(registration, eventData) {
 
                 <div class="detail-row">
                   <div class="label">Location</div>
-                  <div class="value">${eventData.location}</div>
+                  <div class="value">${escapeHtml(eventData.location)}</div>
                 </div>
               </div>
 
-              ${eventData.description ? `<p>${eventData.description}</p>` : ""}
+              ${eventData.description ? `<p>${escapeHtml(eventData.description)}</p>` : ""}
 
               ${
                 registration.ticketType &&
@@ -148,7 +149,7 @@ export async function sendEventRegistrationEmail(registration, eventData) {
                       ? `
                   <div class="detail-row">
                     <div class="label">Transaction ID</div>
-                    <div class="value" style="font-size: 12px; font-family: monospace;">${registration.paymentId}</div>
+                    <div class="value" style="font-size: 12px; font-family: monospace;">${escapeHtml(registration.paymentId)}</div>
                   </div>
                   `
                       : ""
@@ -211,7 +212,7 @@ export async function sendEventCancellationEmail(registration, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@ghostguild.org>",
       to: [registration.email],
-      subject: `Registration cancelled: ${eventData.title}`,
+      subject: `Registration cancelled: ${escapeHtml(eventData.title)}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -264,9 +265,9 @@ export async function sendEventCancellationEmail(registration, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${registration.name},</p>
+              <p>Hi ${escapeHtml(registration.name)},</p>
 
-              <p>Your registration for <strong>${eventData.title}</strong> has been cancelled.</p>
+              <p>Your registration for <strong>${escapeHtml(eventData.title)}</strong> has been cancelled.</p>
 
               <p>We're sorry you can't make it. You can always register again if your plans change.</p>
 
@@ -332,7 +333,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@ghostguild.org>",
       to: [waitlistEntry.email],
-      subject: `A spot opened up for ${eventData.title}!`,
+      subject: `A spot opened up for ${escapeHtml(eventData.title)}!`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -413,9 +414,9 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${waitlistEntry.name},</p>
+              <p>Hi ${escapeHtml(waitlistEntry.name)},</p>
 
-              <p>Great news! A spot has become available for <strong>${eventData.title}</strong>, and you're on the waitlist.</p>
+              <p>Great news! A spot has become available for <strong>${escapeHtml(eventData.title)}</strong>, and you're on the waitlist.</p>
 
               <div class="urgent">
                 <p style="margin: 0; font-weight: 600; color: #92400e;">
@@ -426,7 +427,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
               <div class="event-details">
                 <div class="detail-row">
                   <div class="label">Event</div>
-                  <div class="value">${eventData.title}</div>
+                  <div class="value">${escapeHtml(eventData.title)}</div>
                 </div>
 
                 <div class="detail-row">
@@ -441,7 +442,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
 
                 <div class="detail-row">
                   <div class="label">Location</div>
-                  <div class="value">${eventData.location}</div>
+                  <div class="value">${escapeHtml(eventData.location)}</div>
                 </div>
               </div>
 
@@ -529,7 +530,7 @@ export async function sendSeriesPassConfirmation(options) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@babyghosts.org>",
       to: [to],
-      subject: `Your Series Pass for ${series.title}`,
+      subject: `Your Series Pass for ${escapeHtml(series.title)}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -620,10 +621,10 @@ export async function sendSeriesPassConfirmation(options) {
             </div>
 
             <div class="content">
-              <p style="font-size: 18px; margin-bottom: 10px;">Hi ${name},</p>
+              <p style="font-size: 18px; margin-bottom: 10px;">Hi ${escapeHtml(name)},</p>
 
               <p>
-                Great news! Your series pass for <strong>${series.title}</strong> is confirmed.
+                Great news! Your series pass for <strong>${escapeHtml(series.title)}</strong> is confirmed.
                 You're now registered for all ${events.length} events in this ${seriesTypeLabels[series.type] || "series"}.
               </p>
 
@@ -647,7 +648,7 @@ export async function sendSeriesPassConfirmation(options) {
 
                 <div class="detail-row">
                   <div class="label">Series</div>
-                  <div class="value">${series.title}</div>
+                  <div class="value">${escapeHtml(series.title)}</div>
                 </div>
 
                 ${
@@ -655,7 +656,7 @@ export async function sendSeriesPassConfirmation(options) {
                     ? `
                 <div class="detail-row">
                   <div class="label">About</div>
-                  <div class="value">${series.description}</div>
+                  <div class="value">${escapeHtml(series.description)}</div>
                 </div>
                 `
                     : ""
@@ -676,7 +677,7 @@ export async function sendSeriesPassConfirmation(options) {
                     ? `
                 <div class="detail-row">
                   <div class="label">Transaction ID</div>
-                  <div class="value" style="font-family: monospace; font-size: 14px;">${paymentId}</div>
+                  <div class="value" style="font-family: monospace; font-size: 14px;">${escapeHtml(paymentId)}</div>
                 </div>
                 `
                     : ""
@@ -699,7 +700,7 @@ export async function sendSeriesPassConfirmation(options) {
                     (event, index) => `
                   <div class="event-item">
                     <div style="font-weight: 600; color: #7c3aed; margin-bottom: 5px;">
-                      Event ${index + 1}: ${event.title}
+                      Event ${index + 1}: ${escapeHtml(event.title)}
                     </div>
                     <div style="font-size: 14px; color: #666; margin: 5px 0;">
                       📅 ${formatDate(event.startDate)}
@@ -708,7 +709,7 @@ export async function sendSeriesPassConfirmation(options) {
                       🕐 ${formatTime(event.startDate, event.endDate)}
                     </div>
                     <div style="font-size: 14px; color: #666; margin: 5px 0;">
-                      📍 ${event.location}
+                      📍 ${escapeHtml(event.location)}
                     </div>
                   </div>
                 `,
diff --git a/server/utils/schemas.js b/server/utils/schemas.js
new file mode 100644
index 0000000..5278098
--- /dev/null
+++ b/server/utils/schemas.js
@@ -0,0 +1,96 @@
+import * as z from 'zod'
+
+const privacyEnum = z.enum(['public', 'members', 'private'])
+
+export const emailSchema = z.object({
+  email: z.string().trim().toLowerCase().email()
+})
+
+export const memberCreateSchema = z.object({
+  email: z.string().trim().toLowerCase().email(),
+  name: z.string().min(1).max(200),
+  circle: z.enum(['community', 'founder', 'practitioner']),
+  contributionTier: z.enum(['0', '5', '15', '30', '50'])
+})
+
+export const memberProfileUpdateSchema = z.object({
+  pronouns: z.string().max(100).optional(),
+  timeZone: z.string().max(100).optional(),
+  avatar: z.union([z.string().url().max(500), z.literal('')]).optional(),
+  studio: z.string().max(200).optional(),
+  bio: z.string().max(5000).optional(),
+  location: z.string().max(200).optional(),
+  socialLinks: z.object({
+    mastodon: z.string().max(300).optional(),
+    linkedin: z.string().max(300).optional(),
+    website: z.string().max(300).optional(),
+    other: z.string().max(300).optional()
+  }).optional(),
+  offering: z.object({
+    text: z.string().max(2000).optional(),
+    tags: z.array(z.string().max(100)).max(20).optional()
+  }).optional(),
+  lookingFor: z.object({
+    text: z.string().max(2000).optional(),
+    tags: z.array(z.string().max(100)).max(20).optional()
+  }).optional(),
+  showInDirectory: z.boolean().optional(),
+  pronounsPrivacy: privacyEnum.optional(),
+  timeZonePrivacy: privacyEnum.optional(),
+  avatarPrivacy: privacyEnum.optional(),
+  studioPrivacy: privacyEnum.optional(),
+  bioPrivacy: privacyEnum.optional(),
+  locationPrivacy: privacyEnum.optional(),
+  socialLinksPrivacy: privacyEnum.optional(),
+  offeringPrivacy: privacyEnum.optional(),
+  lookingForPrivacy: privacyEnum.optional()
+})
+
+export const eventRegistrationSchema = z.object({
+  name: z.string().min(1).max(200),
+  email: z.string().trim().toLowerCase().email(),
+  dietary: z.boolean().optional()
+})
+
+export const updateCreateSchema = z.object({
+  content: z.string().min(1).max(50000),
+  images: z.array(z.string().url()).max(20).optional(),
+  privacy: z.enum(['public', 'members', 'private']).optional(),
+  commentsEnabled: z.boolean().optional()
+})
+
+export const paymentVerifySchema = z.object({
+  cardToken: z.string().min(1),
+  customerId: z.string().min(1)
+})
+
+export const adminEventCreateSchema = z.object({
+  title: z.string().min(1).max(500),
+  description: z.string().min(1).max(50000),
+  startDate: z.string().min(1),
+  endDate: z.string().min(1),
+  location: z.string().max(500).optional(),
+  maxAttendees: z.number().int().positive().optional(),
+  membersOnly: z.boolean().optional(),
+  registrationDeadline: z.string().optional(),
+  pricing: z.object({
+    paymentRequired: z.boolean().optional(),
+    isFree: z.boolean().optional()
+  }).optional(),
+  tickets: z.object({
+    enabled: z.boolean().optional(),
+    public: z.object({
+      available: z.boolean().optional(),
+      name: z.string().max(200).optional(),
+      description: z.string().max(2000).optional(),
+      price: z.number().min(0).optional(),
+      quantity: z.number().int().positive().optional(),
+      earlyBirdPrice: z.number().min(0).optional(),
+      earlyBirdDeadline: z.string().optional()
+    }).optional()
+  }).optional(),
+  image: z.string().url().optional(),
+  category: z.string().max(100).optional(),
+  tags: z.array(z.string().max(100)).max(20).optional(),
+  series: z.string().optional()
+})
diff --git a/server/utils/validateBody.js b/server/utils/validateBody.js
new file mode 100644
index 0000000..63f1f96
--- /dev/null
+++ b/server/utils/validateBody.js
@@ -0,0 +1,12 @@
+export async function validateBody(event, schema) {
+  const body = await readBody(event)
+  const result = schema.safeParse(body)
+  if (!result.success) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Validation failed',
+      data: result.error.flatten().fieldErrors
+    })
+  }
+  return result.data
+}
diff --git a/tests/client/composables/useMarkdown.test.js b/tests/client/composables/useMarkdown.test.js
new file mode 100644
index 0000000..c78e6b0
--- /dev/null
+++ b/tests/client/composables/useMarkdown.test.js
@@ -0,0 +1,110 @@
+import { describe, it, expect } from 'vitest'
+import { useMarkdown } from '../../../app/composables/useMarkdown.js'
+
+describe('useMarkdown', () => {
+  const { render } = useMarkdown()
+
+  describe('XSS prevention', () => {
+    it('strips script tags', () => {
+      const result = render('Hello <script>alert("xss")</script> world')
+      expect(result).not.toContain('<script>')
+      expect(result).not.toContain('</script>')
+      expect(result).toContain('Hello')
+      expect(result).toContain('world')
+    })
+
+    it('strips onerror attributes', () => {
+      const result = render('<img onerror="alert(1)" src="x">')
+      expect(result).not.toContain('onerror')
+    })
+
+    it('strips onclick attributes', () => {
+      const result = render('<a onclick="alert(1)" href="#">click</a>')
+      expect(result).not.toContain('onclick')
+    })
+
+    it('strips iframe tags', () => {
+      const result = render('<iframe src="https://evil.com"></iframe>')
+      expect(result).not.toContain('<iframe')
+    })
+
+    it('strips object tags', () => {
+      const result = render('<object data="exploit.swf"></object>')
+      expect(result).not.toContain('<object')
+    })
+
+    it('strips embed tags', () => {
+      const result = render('<embed src="exploit.swf">')
+      expect(result).not.toContain('<embed')
+    })
+
+    it('sanitizes javascript: URIs', () => {
+      const result = render('[click me](javascript:alert(1))')
+      expect(result).not.toContain('javascript:')
+    })
+
+    it('strips img tags (not in allowed list)', () => {
+      const result = render('![alt](https://example.com/img.png)')
+      expect(result).not.toContain('<img')
+    })
+  })
+
+  describe('preserves safe markdown', () => {
+    it('renders bold and italic', () => {
+      const result = render('**bold** and *italic*')
+      expect(result).toContain('<strong>bold</strong>')
+      expect(result).toContain('<em>italic</em>')
+    })
+
+    it('renders links with href', () => {
+      const result = render('[Ghost Guild](https://ghostguild.org)')
+      expect(result).toContain('<a')
+      expect(result).toContain('href="https://ghostguild.org"')
+    })
+
+    it('preserves headings h1-h6', () => {
+      for (let i = 1; i <= 6; i++) {
+        const hashes = '#'.repeat(i)
+        const result = render(`${hashes} Heading ${i}`)
+        expect(result).toContain(`<h${i}>`)
+      }
+    })
+
+    it('preserves code blocks', () => {
+      const result = render('`inline code` and\n\n```\nblock code\n```')
+      expect(result).toContain('<code>')
+      expect(result).toContain('<pre>')
+    })
+
+    it('preserves blockquotes', () => {
+      const result = render('> This is a quote')
+      expect(result).toContain('<blockquote>')
+    })
+
+    it('preserves lists', () => {
+      const result = render('- item 1\n- item 2')
+      expect(result).toContain('<ul>')
+      expect(result).toContain('<li>')
+    })
+
+    it('preserves allowed attributes: href, target, rel, class', () => {
+      // DOMPurify allows href on <a> tags
+      const result = render('[link](https://example.com)')
+      expect(result).toContain('href=')
+    })
+  })
+
+  describe('edge cases', () => {
+    it('returns empty string for null', () => {
+      expect(render(null)).toBe('')
+    })
+
+    it('returns empty string for undefined', () => {
+      expect(render(undefined)).toBe('')
+    })
+
+    it('returns empty string for empty string', () => {
+      expect(render('')).toBe('')
+    })
+  })
+})
diff --git a/tests/server/api/auth-login.test.js b/tests/server/api/auth-login.test.js
new file mode 100644
index 0000000..828240b
--- /dev/null
+++ b/tests/server/api/auth-login.test.js
@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findOne: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
+}))
+
+vi.mock('resend', () => ({
+  Resend: class MockResend {
+    constructor() {
+      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
+    }
+  }
+}))
+
+import Member from '../../../server/models/member.js'
+import loginHandler from '../../../server/api/auth/login.post.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('auth login endpoint', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns generic success message for existing member', async () => {
+    Member.findOne.mockResolvedValue({
+      _id: 'member-123',
+      email: 'exists@example.com'
+    })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'exists@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('returns identical response for non-existing member (anti-enumeration)', async () => {
+    Member.findOne.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nonexistent@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+
+    const result = await loginHandler(event)
+
+    expect(result).toEqual({
+      success: true,
+      message: "If this email is registered, we've sent a login link."
+    })
+  })
+
+  it('both existing and non-existing produce same shape and message', async () => {
+    // Existing member
+    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
+    const event1 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'a@b.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result1 = await loginHandler(event1)
+
+    vi.clearAllMocks()
+
+    // Non-existing member
+    Member.findOne.mockResolvedValue(null)
+    const event2 = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: { email: 'nobody@example.com' },
+      headers: { host: 'localhost:3000' }
+    })
+    const result2 = await loginHandler(event2)
+
+    // Response shape and message must be identical
+    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
+    expect(result1.success).toBe(result2.success)
+    expect(result1.message).toBe(result2.message)
+  })
+
+  it('throws 400 when email is missing from body', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/auth/login',
+      body: {},
+      headers: { host: 'localhost:3000' }
+    })
+
+    await expect(loginHandler(event)).rejects.toMatchObject({
+      statusCode: 400,
+      statusMessage: 'Validation failed'
+    })
+  })
+})
diff --git a/tests/server/api/members-profile-patch.test.js b/tests/server/api/members-profile-patch.test.js
new file mode 100644
index 0000000..d18436c
--- /dev/null
+++ b/tests/server/api/members-profile-patch.test.js
@@ -0,0 +1,157 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/utils/auth.js', () => ({
+  requireAuth: vi.fn()
+}))
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findByIdAndUpdate: vi.fn() }
+}))
+
+import { requireAuth } from '../../../server/utils/auth.js'
+import Member from '../../../server/models/member.js'
+import profilePatchHandler from '../../../server/api/members/profile.patch.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('members profile PATCH endpoint', () => {
+  const mockMember = {
+    _id: 'member-123',
+    email: 'test@example.com',
+    name: 'Test User',
+    circle: 'community',
+    contributionTier: 5,
+    pronouns: 'they/them',
+    timeZone: 'America/New_York',
+    avatar: 'https://example.com/avatar.jpg',
+    studio: 'Test Studio',
+    bio: 'Updated bio',
+    location: 'NYC',
+    socialLinks: { twitter: '@test' },
+    offering: { text: 'help', tags: ['code'] },
+    lookingFor: { text: 'feedback', tags: ['design'] },
+    showInDirectory: true
+  }
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    requireAuth.mockResolvedValue({ _id: 'member-123' })
+    Member.findByIdAndUpdate.mockResolvedValue(mockMember)
+  })
+
+  describe('field allowlist - forbidden fields are rejected', () => {
+    it('does not pass helcimCustomerId to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', helcimCustomerId: 'hacked-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const updateCall = Member.findByIdAndUpdate.mock.calls[0]
+      const setData = updateCall[1].$set
+      expect(setData).not.toHaveProperty('helcimCustomerId')
+      expect(setData).toHaveProperty('bio', 'new bio')
+    })
+
+    it('does not pass role to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', role: 'admin' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('role')
+    })
+
+    it('does not pass status to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', status: 'active' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('status')
+    })
+
+    it('does not pass email to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', email: 'hacked@evil.com' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('email')
+    })
+
+    it('does not pass _id to database update', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: { bio: 'new bio', _id: 'different-id' }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).not.toHaveProperty('_id')
+    })
+  })
+
+  describe('field allowlist - allowed fields pass through', () => {
+    it('passes allowed profile fields through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          pronouns: 'they/them',
+          bio: 'Updated bio',
+          studio: 'Test Studio',
+          location: 'NYC',
+          timeZone: 'America/New_York',
+          avatar: 'https://example.com/avatar.jpg',
+          showInDirectory: true,
+          socialLinks: { twitter: '@test' }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData).toHaveProperty('pronouns', 'they/them')
+      expect(setData).toHaveProperty('bio', 'Updated bio')
+      expect(setData).toHaveProperty('studio', 'Test Studio')
+      expect(setData).toHaveProperty('location', 'NYC')
+      expect(setData).toHaveProperty('timeZone', 'America/New_York')
+      expect(setData).toHaveProperty('avatar', 'https://example.com/avatar.jpg')
+      expect(setData).toHaveProperty('showInDirectory', true)
+      expect(setData).toHaveProperty('socialLinks')
+    })
+
+    it('passes offering and lookingFor nested objects through', async () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        body: {
+          offering: { text: 'mentoring', tags: ['code', 'design'] },
+          lookingFor: { text: 'feedback', tags: ['art'] }
+        }
+      })
+
+      await profilePatchHandler(event)
+
+      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
+      expect(setData.offering).toEqual({ text: 'mentoring', tags: ['code', 'design'] })
+      expect(setData.lookingFor).toEqual({ text: 'feedback', tags: ['art'] })
+    })
+  })
+})
diff --git a/tests/server/api/validation.test.js b/tests/server/api/validation.test.js
new file mode 100644
index 0000000..5d1ac9e
--- /dev/null
+++ b/tests/server/api/validation.test.js
@@ -0,0 +1,273 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+import {
+  emailSchema,
+  memberCreateSchema,
+  memberProfileUpdateSchema,
+  eventRegistrationSchema,
+  updateCreateSchema,
+  paymentVerifySchema,
+  adminEventCreateSchema
+} from '../../../server/utils/schemas.js'
+import { validateBody } from '../../../server/utils/validateBody.js'
+
+// --- Schema unit tests ---
+
+describe('emailSchema', () => {
+  it('accepts a valid email', () => {
+    const result = emailSchema.safeParse({ email: 'test@example.com' })
+    expect(result.success).toBe(true)
+    expect(result.data.email).toBe('test@example.com')
+  })
+
+  it('rejects a malformed email', () => {
+    const result = emailSchema.safeParse({ email: 'not-an-email' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects missing email', () => {
+    const result = emailSchema.safeParse({})
+    expect(result.success).toBe(false)
+  })
+
+  it('trims and lowercases email', () => {
+    const result = emailSchema.safeParse({ email: '  Test@EXAMPLE.COM  ' })
+    expect(result.success).toBe(true)
+    expect(result.data.email).toBe('test@example.com')
+  })
+})
+
+describe('memberCreateSchema', () => {
+  const validMember = {
+    email: 'new@example.com',
+    name: 'Test User',
+    circle: 'community',
+    contributionTier: '0'
+  }
+
+  it('accepts valid member data', () => {
+    const result = memberCreateSchema.safeParse(validMember)
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects role field (mass assignment)', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, role: 'admin' })
+    expect(result.success).toBe(true)
+    // role should NOT be in the output
+    expect(result.data).not.toHaveProperty('role')
+  })
+
+  it('rejects status field (mass assignment)', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, status: 'active' })
+    expect(result.success).toBe(true)
+    expect(result.data).not.toHaveProperty('status')
+  })
+
+  it('rejects helcimCustomerId field (mass assignment)', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, helcimCustomerId: 'cust_123' })
+    expect(result.success).toBe(true)
+    expect(result.data).not.toHaveProperty('helcimCustomerId')
+  })
+
+  it('rejects _id field (mass assignment)', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, _id: '507f1f77bcf86cd799439011' })
+    expect(result.success).toBe(true)
+    expect(result.data).not.toHaveProperty('_id')
+  })
+
+  it('rejects invalid circle enum', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, circle: 'superadmin' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects invalid contributionTier enum', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, contributionTier: '999' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects missing required fields', () => {
+    const result = memberCreateSchema.safeParse({ email: 'test@example.com' })
+    expect(result.success).toBe(false)
+  })
+
+  it('lowercases email', () => {
+    const result = memberCreateSchema.safeParse({ ...validMember, email: 'NEW@Example.COM' })
+    expect(result.success).toBe(true)
+    expect(result.data.email).toBe('new@example.com')
+  })
+})
+
+describe('eventRegistrationSchema', () => {
+  it('accepts valid registration', () => {
+    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'jane@example.com' })
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects missing name', () => {
+    const result = eventRegistrationSchema.safeParse({ email: 'jane@example.com' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects malformed email', () => {
+    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'bad' })
+    expect(result.success).toBe(false)
+  })
+
+  it('lowercases email', () => {
+    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'JANE@Example.COM' })
+    expect(result.success).toBe(true)
+    expect(result.data.email).toBe('jane@example.com')
+  })
+})
+
+describe('updateCreateSchema', () => {
+  it('accepts valid content', () => {
+    const result = updateCreateSchema.safeParse({ content: 'Hello world' })
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects empty content', () => {
+    const result = updateCreateSchema.safeParse({ content: '' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects content exceeding 50000 chars', () => {
+    const result = updateCreateSchema.safeParse({ content: 'a'.repeat(50001) })
+    expect(result.success).toBe(false)
+  })
+
+  it('accepts content at exactly 50000 chars', () => {
+    const result = updateCreateSchema.safeParse({ content: 'a'.repeat(50000) })
+    expect(result.success).toBe(true)
+  })
+
+  it('validates images are URLs', () => {
+    const result = updateCreateSchema.safeParse({
+      content: 'test',
+      images: ['not-a-url']
+    })
+    expect(result.success).toBe(false)
+  })
+
+  it('accepts valid images array', () => {
+    const result = updateCreateSchema.safeParse({
+      content: 'test',
+      images: ['https://example.com/img.png']
+    })
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects more than 20 images', () => {
+    const images = Array.from({ length: 21 }, (_, i) => `https://example.com/img${i}.png`)
+    const result = updateCreateSchema.safeParse({ content: 'test', images })
+    expect(result.success).toBe(false)
+  })
+
+  it('validates privacy enum', () => {
+    const result = updateCreateSchema.safeParse({ content: 'test', privacy: 'invalid' })
+    expect(result.success).toBe(false)
+  })
+})
+
+describe('paymentVerifySchema', () => {
+  it('accepts valid card token and customer ID', () => {
+    const result = paymentVerifySchema.safeParse({ cardToken: 'tok_123', customerId: 'cust_456' })
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects missing cardToken', () => {
+    const result = paymentVerifySchema.safeParse({ customerId: 'cust_456' })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects empty cardToken', () => {
+    const result = paymentVerifySchema.safeParse({ cardToken: '', customerId: 'cust_456' })
+    expect(result.success).toBe(false)
+  })
+})
+
+describe('adminEventCreateSchema', () => {
+  const validEvent = {
+    title: 'Test Event',
+    description: 'A test event',
+    startDate: '2026-04-01T10:00:00Z',
+    endDate: '2026-04-01T12:00:00Z'
+  }
+
+  it('accepts valid event data', () => {
+    const result = adminEventCreateSchema.safeParse(validEvent)
+    expect(result.success).toBe(true)
+  })
+
+  it('rejects missing title', () => {
+    const { title, ...rest } = validEvent
+    const result = adminEventCreateSchema.safeParse(rest)
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects missing dates', () => {
+    const { startDate, endDate, ...rest } = validEvent
+    const result = adminEventCreateSchema.safeParse({ ...rest, title: 'Test' })
+    expect(result.success).toBe(false)
+  })
+})
+
+describe('memberProfileUpdateSchema', () => {
+  it('rejects role in profile update', () => {
+    const result = memberProfileUpdateSchema.safeParse({ role: 'admin', bio: 'test' })
+    expect(result.success).toBe(true)
+    expect(result.data).not.toHaveProperty('role')
+  })
+
+  it('rejects status in profile update', () => {
+    const result = memberProfileUpdateSchema.safeParse({ status: 'active', bio: 'test' })
+    expect(result.success).toBe(true)
+    expect(result.data).not.toHaveProperty('status')
+  })
+
+  it('validates privacy enum values', () => {
+    const result = memberProfileUpdateSchema.safeParse({ bioPrivacy: 'invalid' })
+    expect(result.success).toBe(false)
+  })
+
+  it('accepts valid privacy values', () => {
+    const result = memberProfileUpdateSchema.safeParse({ bioPrivacy: 'public' })
+    expect(result.success).toBe(true)
+  })
+})
+
+// --- validateBody integration tests ---
+
+describe('validateBody', () => {
+  it('returns validated data on success', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      body: { email: 'test@example.com' }
+    })
+    const data = await validateBody(event, emailSchema)
+    expect(data.email).toBe('test@example.com')
+  })
+
+  it('throws 400 on validation failure', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      body: { email: 'bad' }
+    })
+    await expect(validateBody(event, emailSchema)).rejects.toMatchObject({
+      statusCode: 400,
+      statusMessage: 'Validation failed'
+    })
+  })
+
+  it('strips unknown fields from output', async () => {
+    const event = createMockEvent({
+      method: 'POST',
+      body: { email: 'test@example.com', name: 'Test', circle: 'community', contributionTier: '0', role: 'admin', _id: 'fake' }
+    })
+    const data = await validateBody(event, memberCreateSchema)
+    expect(data).not.toHaveProperty('role')
+    expect(data).not.toHaveProperty('_id')
+    expect(data.email).toBe('test@example.com')
+    expect(data.name).toBe('Test')
+  })
+})
diff --git a/tests/server/helpers/createMockEvent.js b/tests/server/helpers/createMockEvent.js
new file mode 100644
index 0000000..922f9cd
--- /dev/null
+++ b/tests/server/helpers/createMockEvent.js
@@ -0,0 +1,72 @@
+import { IncomingMessage, ServerResponse } from 'node:http'
+import { Socket } from 'node:net'
+import { createEvent } from 'h3'
+
+/**
+ * Create a real h3 event backed by real Node.js request/response objects.
+ *
+ * Options:
+ *   method        - HTTP method (default 'GET')
+ *   path          - Request path (default '/')
+ *   headers       - Object of request headers
+ *   cookies       - Object of cookie key/value pairs (serialized to cookie header)
+ *   body          - Request body (will be JSON-serialized)
+ *   remoteAddress - Client IP (default '127.0.0.1')
+ */
+export function createMockEvent(options = {}) {
+  const {
+    method = 'GET',
+    path = '/',
+    headers = {},
+    cookies = {},
+    body = undefined,
+    remoteAddress = '127.0.0.1'
+  } = options
+
+  // Build cookie header from cookies object
+  const cookiePairs = Object.entries(cookies).map(([k, v]) => `${k}=${v}`)
+  if (cookiePairs.length > 0) {
+    headers.cookie = [headers.cookie, cookiePairs.join('; ')].filter(Boolean).join('; ')
+  }
+
+  // Build a real IncomingMessage
+  const socket = new Socket()
+  // remoteAddress is a getter-only property on Socket, so use defineProperty
+  Object.defineProperty(socket, 'remoteAddress', {
+    value: remoteAddress,
+    writable: true,
+    configurable: true
+  })
+  const req = new IncomingMessage(socket)
+  req.method = method
+  req.url = path
+  req.headers = Object.fromEntries(
+    Object.entries(headers).map(([k, v]) => [k.toLowerCase(), v])
+  )
+
+  // If body is provided, push it into the request stream so readBody can consume it
+  if (body !== undefined) {
+    const bodyStr = typeof body === 'string' ? body : JSON.stringify(body)
+    req.headers['content-type'] = req.headers['content-type'] || 'application/json'
+    req.headers['content-length'] = Buffer.byteLength(bodyStr).toString()
+    req.push(bodyStr)
+    req.push(null)
+  }
+
+  const res = new ServerResponse(req)
+
+  // Capture response headers for test assertions
+  const setHeaders = {}
+  const originalSetHeader = res.setHeader.bind(res)
+  res.setHeader = (name, value) => {
+    setHeaders[name.toLowerCase()] = value
+    return originalSetHeader(name, value)
+  }
+
+  const event = createEvent(req, res)
+
+  // Attach captured headers for test access
+  event._testSetHeaders = setHeaders
+
+  return event
+}
diff --git a/tests/server/middleware/csrf.test.js b/tests/server/middleware/csrf.test.js
new file mode 100644
index 0000000..bedca8f
--- /dev/null
+++ b/tests/server/middleware/csrf.test.js
@@ -0,0 +1,127 @@
+import { describe, it, expect, beforeEach } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+// Import the handler — defineEventHandler is a global passthrough,
+// so the default export is the raw handler function.
+import csrfMiddleware from '../../../server/middleware/01.csrf.js'
+
+describe('CSRF middleware', () => {
+  describe('safe methods bypass', () => {
+    it.each(['GET', 'HEAD', 'OPTIONS'])('%s requests pass through', (method) => {
+      const event = createMockEvent({ method, path: '/api/test' })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('non-API paths bypass', () => {
+    it('POST to non-/api/ path passes through', () => {
+      const event = createMockEvent({ method: 'POST', path: '/some/page' })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('exempt routes bypass', () => {
+    it.each([
+      '/api/helcim/webhook',
+      '/api/slack/webhook',
+      '/api/auth/verify'
+    ])('POST to %s passes through', (path) => {
+      const event = createMockEvent({ method: 'POST', path })
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+  })
+
+  describe('CSRF enforcement on state-changing API requests', () => {
+    it('throws 403 when POST to /api/* has no x-csrf-token header', () => {
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'abc123' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({
+          statusCode: 403,
+          statusMessage: 'CSRF token missing or invalid'
+        })
+      )
+    })
+
+    it('throws 403 when header and cookie tokens do not match', () => {
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'cookie-token' },
+        headers: { 'x-csrf-token': 'different-token' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({
+          statusCode: 403,
+          statusMessage: 'CSRF token missing or invalid'
+        })
+      )
+    })
+
+    it('passes when header and cookie tokens match', () => {
+      const token = 'matching-token-value'
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': token },
+        headers: { 'x-csrf-token': token }
+      })
+
+      expect(() => csrfMiddleware(event)).not.toThrow()
+    })
+
+    it('enforces CSRF on DELETE requests', () => {
+      const event = createMockEvent({
+        method: 'DELETE',
+        path: '/api/admin/events/123',
+        cookies: { 'csrf-token': 'abc' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({ statusCode: 403 })
+      )
+    })
+
+    it('enforces CSRF on PATCH requests', () => {
+      const event = createMockEvent({
+        method: 'PATCH',
+        path: '/api/members/profile',
+        cookies: { 'csrf-token': 'abc' }
+      })
+
+      expect(() => csrfMiddleware(event)).toThrowError(
+        expect.objectContaining({ statusCode: 403 })
+      )
+    })
+  })
+
+  describe('cookie provisioning', () => {
+    it('sets csrf-token cookie when none exists', () => {
+      const event = createMockEvent({ method: 'GET', path: '/api/test' })
+      csrfMiddleware(event)
+
+      // The middleware calls setCookie which sets a Set-Cookie header
+      const setCookieHeader = event._testSetHeaders['set-cookie']
+      expect(setCookieHeader).toBeDefined()
+      expect(setCookieHeader).toContain('csrf-token=')
+    })
+
+    it('does not set a new cookie when one already exists', () => {
+      const event = createMockEvent({
+        method: 'GET',
+        path: '/api/test',
+        cookies: { 'csrf-token': 'existing-token' }
+      })
+      csrfMiddleware(event)
+
+      const setCookieHeader = event._testSetHeaders['set-cookie']
+      // Should not have set a new cookie
+      expect(setCookieHeader).toBeUndefined()
+    })
+  })
+})
diff --git a/tests/server/middleware/rate-limit.test.js b/tests/server/middleware/rate-limit.test.js
new file mode 100644
index 0000000..2f81a62
--- /dev/null
+++ b/tests/server/middleware/rate-limit.test.js
@@ -0,0 +1,95 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('rate-limit middleware', () => {
+  // Fresh import per describe block to get fresh limiter instances
+  let rateLimitMiddleware
+
+  beforeEach(async () => {
+    vi.resetModules()
+    const mod = await import('../../../server/middleware/03.rate-limit.js')
+    rateLimitMiddleware = mod.default
+  })
+
+  describe('non-API paths', () => {
+    it('skips rate limiting for non-/api/ paths', async () => {
+      const event = createMockEvent({ path: '/about', remoteAddress: '10.0.0.1' })
+      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+    })
+  })
+
+  describe('auth endpoint limiting (5 per 5 min)', () => {
+    it('allows 5 requests then blocks the 6th', async () => {
+      const ip = '10.0.1.1'
+
+      // First 5 should succeed
+      for (let i = 0; i < 5; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/auth/login',
+          remoteAddress: ip
+        })
+        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+      }
+
+      // 6th should be rate limited
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/auth/login',
+        remoteAddress: ip
+      })
+      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
+        statusCode: 429
+      })
+
+      // Check Retry-After header was set
+      expect(event._testSetHeaders['retry-after']).toBeDefined()
+    })
+  })
+
+  describe('payment endpoint limiting (10 per min)', () => {
+    it('allows 10 requests then blocks the 11th', async () => {
+      const ip = '10.0.2.1'
+
+      for (let i = 0; i < 10; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/helcim/initialize-payment',
+          remoteAddress: ip
+        })
+        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+      }
+
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/helcim/initialize-payment',
+        remoteAddress: ip
+      })
+      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
+        statusCode: 429
+      })
+    })
+  })
+
+  describe('IP isolation', () => {
+    it('different IPs have separate rate limit counters', async () => {
+      // Exhaust limit for IP A
+      for (let i = 0; i < 5; i++) {
+        const event = createMockEvent({
+          method: 'POST',
+          path: '/api/auth/login',
+          remoteAddress: '10.0.3.1'
+        })
+        await rateLimitMiddleware(event)
+      }
+
+      // IP B should still be able to make requests
+      const event = createMockEvent({
+        method: 'POST',
+        path: '/api/auth/login',
+        remoteAddress: '10.0.3.2'
+      })
+      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
+    })
+  })
+})
diff --git a/tests/server/middleware/security-headers.test.js b/tests/server/middleware/security-headers.test.js
new file mode 100644
index 0000000..e6b50b1
--- /dev/null
+++ b/tests/server/middleware/security-headers.test.js
@@ -0,0 +1,106 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+import securityHeadersMiddleware from '../../../server/middleware/02.security-headers.js'
+
+describe('security-headers middleware', () => {
+  const originalNodeEnv = process.env.NODE_ENV
+
+  afterEach(() => {
+    process.env.NODE_ENV = originalNodeEnv
+  })
+
+  describe('always-present headers', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'development'
+    })
+
+    it('sets X-Content-Type-Options to nosniff', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-content-type-options']).toBe('nosniff')
+    })
+
+    it('sets X-Frame-Options to DENY', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-frame-options']).toBe('DENY')
+    })
+
+    it('sets X-XSS-Protection to 0', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['x-xss-protection']).toBe('0')
+    })
+
+    it('sets Referrer-Policy', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['referrer-policy']).toBe('strict-origin-when-cross-origin')
+    })
+
+    it('sets Permissions-Policy', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['permissions-policy']).toBe('camera=(), microphone=(), geolocation=()')
+    })
+  })
+
+  describe('production-only headers', () => {
+    it('sets HSTS in production', () => {
+      process.env.NODE_ENV = 'production'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['strict-transport-security']).toBe('max-age=31536000; includeSubDomains')
+    })
+
+    it('does not set HSTS in development', () => {
+      process.env.NODE_ENV = 'development'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['strict-transport-security']).toBeUndefined()
+    })
+
+    it('sets CSP in production', () => {
+      process.env.NODE_ENV = 'production'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['content-security-policy']).toBeDefined()
+    })
+
+    it('does not set CSP in development', () => {
+      process.env.NODE_ENV = 'development'
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      expect(event._testSetHeaders['content-security-policy']).toBeUndefined()
+    })
+  })
+
+  describe('CSP directives', () => {
+    beforeEach(() => {
+      process.env.NODE_ENV = 'production'
+    })
+
+    it('includes Helcim sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('myposjs.helcim.com')
+      expect(csp).toContain('api.helcim.com')
+      expect(csp).toContain('secure.helcim.com')
+    })
+
+    it('includes Cloudinary sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('res.cloudinary.com')
+    })
+
+    it('includes Plausible sources in CSP', () => {
+      const event = createMockEvent({ path: '/' })
+      securityHeadersMiddleware(event)
+      const csp = event._testSetHeaders['content-security-policy']
+      expect(csp).toContain('plausible.io')
+    })
+  })
+})
diff --git a/tests/server/setup.js b/tests/server/setup.js
new file mode 100644
index 0000000..37575c2
--- /dev/null
+++ b/tests/server/setup.js
@@ -0,0 +1,34 @@
+import { vi } from 'vitest'
+import {
+  getCookie,
+  setCookie,
+  getMethod,
+  getHeader,
+  getHeaders,
+  setHeader,
+  getRequestURL,
+  createError,
+  defineEventHandler,
+  readBody,
+  getQuery,
+  getRouterParam
+} from 'h3'
+
+// Register real h3 functions as globals so server code that relies on
+// Nitro auto-imports can find them in the test environment.
+vi.stubGlobal('getCookie', getCookie)
+vi.stubGlobal('setCookie', setCookie)
+vi.stubGlobal('getMethod', getMethod)
+vi.stubGlobal('getHeader', getHeader)
+vi.stubGlobal('getHeaders', getHeaders)
+vi.stubGlobal('setHeader', setHeader)
+vi.stubGlobal('getRequestURL', getRequestURL)
+vi.stubGlobal('createError', createError)
+vi.stubGlobal('defineEventHandler', defineEventHandler)
+vi.stubGlobal('readBody', readBody)
+vi.stubGlobal('getQuery', getQuery)
+vi.stubGlobal('getRouterParam', getRouterParam)
+
+vi.stubGlobal('useRuntimeConfig', () => ({
+  jwtSecret: 'test-jwt-secret'
+}))
diff --git a/tests/server/utils/auth.test.js b/tests/server/utils/auth.test.js
new file mode 100644
index 0000000..815185f
--- /dev/null
+++ b/tests/server/utils/auth.test.js
@@ -0,0 +1,142 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../../../server/models/member.js', () => ({
+  default: { findById: vi.fn() }
+}))
+
+vi.mock('../../../server/utils/mongoose.js', () => ({
+  connectDB: vi.fn()
+}))
+
+vi.mock('jsonwebtoken', () => ({
+  default: { verify: vi.fn() }
+}))
+
+import Member from '../../../server/models/member.js'
+import jwt from 'jsonwebtoken'
+import { requireAuth, requireAdmin } from '../../../server/utils/auth.js'
+import { createMockEvent } from '../helpers/createMockEvent.js'
+
+describe('requireAuth', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('throws 401 when no auth-token cookie', async () => {
+    const event = createMockEvent({ path: '/api/test' })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Authentication required'
+    })
+  })
+
+  it('throws 401 when JWT is invalid', async () => {
+    jwt.verify.mockImplementation(() => { throw new Error('invalid token') })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'bad-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Invalid or expired token'
+    })
+  })
+
+  it('throws 401 when member not found in DB', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(null)
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 401,
+      statusMessage: 'Member not found'
+    })
+  })
+
+  it('throws 403 when member is suspended', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'suspended', role: 'member' })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Account is suspended'
+    })
+  })
+
+  it('throws 403 when member is cancelled', async () => {
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'cancelled', role: 'member' })
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAuth(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Account is cancelled'
+    })
+  })
+
+  it('returns member when token and status are valid', async () => {
+    const mockMember = { _id: 'member-123', status: 'active', role: 'member', email: 'test@example.com' }
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    const result = await requireAuth(event)
+    expect(result).toEqual(mockMember)
+  })
+})
+
+describe('requireAdmin', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('throws 403 when member is not admin', async () => {
+    const mockMember = { _id: 'member-123', status: 'active', role: 'member' }
+    jwt.verify.mockReturnValue({ memberId: 'member-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/admin/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    await expect(requireAdmin(event)).rejects.toMatchObject({
+      statusCode: 403,
+      statusMessage: 'Admin access required'
+    })
+  })
+
+  it('returns member when role is admin', async () => {
+    const mockMember = { _id: 'admin-123', status: 'active', role: 'admin', email: 'admin@example.com' }
+    jwt.verify.mockReturnValue({ memberId: 'admin-123' })
+    Member.findById.mockResolvedValue(mockMember)
+
+    const event = createMockEvent({
+      path: '/api/admin/test',
+      cookies: { 'auth-token': 'valid-token' }
+    })
+
+    const result = await requireAdmin(event)
+    expect(result).toEqual(mockMember)
+  })
+})
diff --git a/tests/server/utils/escapeHtml.test.js b/tests/server/utils/escapeHtml.test.js
new file mode 100644
index 0000000..359c37c
--- /dev/null
+++ b/tests/server/utils/escapeHtml.test.js
@@ -0,0 +1,60 @@
+import { describe, it, expect } from 'vitest'
+import { escapeHtml } from '../../../server/utils/escapeHtml.js'
+
+describe('escapeHtml', () => {
+  it('escapes ampersands', () => {
+    expect(escapeHtml('a&b')).toBe('a&amp;b')
+  })
+
+  it('escapes less-than signs', () => {
+    expect(escapeHtml('a<b')).toBe('a&lt;b')
+  })
+
+  it('escapes greater-than signs', () => {
+    expect(escapeHtml('a>b')).toBe('a&gt;b')
+  })
+
+  it('escapes double quotes', () => {
+    expect(escapeHtml('a"b')).toBe('a&quot;b')
+  })
+
+  it('escapes single quotes', () => {
+    expect(escapeHtml("a'b")).toBe('a&#39;b')
+  })
+
+  it('escapes all entities in a single string', () => {
+    expect(escapeHtml('<div class="x">&\'test\'')).toBe(
+      '&lt;div class=&quot;x&quot;&gt;&amp;&#39;test&#39;'
+    )
+  })
+
+  it('returns empty string for null', () => {
+    expect(escapeHtml(null)).toBe('')
+  })
+
+  it('returns empty string for undefined', () => {
+    expect(escapeHtml(undefined)).toBe('')
+  })
+
+  it('converts numbers to string', () => {
+    expect(escapeHtml(42)).toBe('42')
+  })
+
+  it('passes safe strings through unchanged', () => {
+    expect(escapeHtml('hello world')).toBe('hello world')
+  })
+
+  it('neutralizes script tag XSS payload', () => {
+    const payload = '<script>alert("xss")</script>'
+    const result = escapeHtml(payload)
+    expect(result).not.toContain('<script>')
+    expect(result).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;')
+  })
+
+  it('neutralizes img onerror XSS payload', () => {
+    const payload = '<img onerror="alert(1)" src=x>'
+    const result = escapeHtml(payload)
+    expect(result).not.toContain('<img')
+    expect(result).toBe('&lt;img onerror=&quot;alert(1)&quot; src=x&gt;')
+  })
+})
diff --git a/vitest.config.js b/vitest.config.js
new file mode 100644
index 0000000..5bb28eb
--- /dev/null
+++ b/vitest.config.js
@@ -0,0 +1,25 @@
+import { defineConfig } from 'vitest/config'
+
+export default defineConfig({
+  test: {
+    projects: [
+      {
+        test: {
+          name: 'server',
+          include: ['tests/server/**/*.test.js'],
+          environment: 'node',
+          globals: true,
+          setupFiles: ['./tests/server/setup.js']
+        }
+      },
+      {
+        test: {
+          name: 'client',
+          include: ['tests/client/**/*.test.js'],
+          environment: 'jsdom',
+          globals: true
+        }
+      }
+    ]
+  }
+})