diff --git a/.env.example b/.env.example
index 28109ca..5a02892 100644
--- a/.env.example
+++ b/.env.example
@@ -20,9 +20,4 @@ SLACK_OAUTH_TOKEN=your-slack-oauth-token
 JWT_SECRET=your-jwt-secret-key-change-this-in-production
 
 # Application URLs
-APP_URL=http://localhost:3000
-
-# OIDC Provider (for Outline Wiki SSO)
-OIDC_CLIENT_ID=outline-wiki
-OIDC_CLIENT_SECRET=<generate-with-openssl-rand-hex-32>
-OIDC_COOKIE_SECRET=<generate-with-openssl-rand-hex-32>
\ No newline at end of file
+APP_URL=http://localhost:3000
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index a3170a0..400f35a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,10 +17,10 @@ logs
 .DS_Store
 .fleet
 .idea
-docs/*
 
 # Local env files
 .env
 .env.*
 !.env.example
+/docs/
 scripts/*.js
diff --git a/app/components/AppNavigation.vue b/app/components/AppNavigation.vue
index b32ed17..bdbb47d 100644
--- a/app/components/AppNavigation.vue
+++ b/app/components/AppNavigation.vue
@@ -211,7 +211,9 @@ const handleLogin = async () => {
   } catch (err) {
     console.error("Login error:", err);
 
-    if (err.statusCode === 500) {
+    if (err.statusCode === 404) {
+      loginError.value = "No account found";
+    } else if (err.statusCode === 500) {
       loginError.value = "Failed to send email";
     } else {
       loginError.value = "Something went wrong";
diff --git a/app/components/LoginModal.vue b/app/components/LoginModal.vue
index a826505..543a936 100644
--- a/app/components/LoginModal.vue
+++ b/app/components/LoginModal.vue
@@ -167,7 +167,9 @@ const handleLogin = async () => {
   } catch (err) {
     console.error('Login error:', err)
 
-    if (err.statusCode === 500) {
+    if (err.statusCode === 404) {
+      loginError.value = 'No account found with that email. Please check your email or join Ghost Guild.'
+    } else if (err.statusCode === 500) {
       loginError.value = 'Failed to send login email. Please try again later.'
     } else {
       loginError.value = err.statusMessage || 'Something went wrong. Please try again.'
diff --git a/app/composables/useMarkdown.js b/app/composables/useMarkdown.js
index b66430b..9794192 100644
--- a/app/composables/useMarkdown.js
+++ b/app/composables/useMarkdown.js
@@ -1,29 +1,12 @@
 import { marked } from 'marked'
-import DOMPurify from 'isomorphic-dompurify'
-
-const ALLOWED_TAGS = [
-  'a', 'strong', 'em', 'b', 'i', 'u',
-  'ul', 'ol', 'li', 'p', 'br',
-  'code', 'pre', 'blockquote',
-  'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-  'hr', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
-  'del', 'sup', 'sub'
-]
-
-const ALLOWED_ATTR = ['href', 'target', 'rel', 'class']
 
 export const useMarkdown = () => {
   const render = (markdown) => {
     if (!markdown) return ''
-    const raw = marked(markdown, {
+    return marked(markdown, {
       breaks: true,
       gfm: true
     })
-    return DOMPurify.sanitize(raw, {
-      ALLOWED_TAGS,
-      ALLOWED_ATTR,
-      ALLOW_DATA_ATTR: false
-    })
   }
 
   return {
diff --git a/app/middleware/admin.js b/app/middleware/admin.js
index cf2d155..2c643a7 100644
--- a/app/middleware/admin.js
+++ b/app/middleware/admin.js
@@ -1,17 +1,18 @@
-export default defineNuxtRouteMiddleware(async (to) => {
+export default defineNuxtRouteMiddleware((to) => {
+  // Skip middleware in server-side rendering to avoid errors
   if (process.server) return
-
-  const { isAuthenticated, memberData, checkMemberStatus } = useAuth()
-
-  if (!isAuthenticated.value) {
-    await checkMemberStatus()
-  }
-
-  if (!isAuthenticated.value) {
-    return navigateTo('/')
-  }
-
-  if (memberData.value?.role !== 'admin') {
-    return navigateTo('/members')
-  }
-})
+  
+  // TODO: Temporarily disabled for testing - enable when authentication is set up
+  // Check if user is authenticated (you'll need to implement proper auth state)
+  // const isAuthenticated = useCookie('auth-token').value
+  
+  // if (!isAuthenticated) {
+  //   throw createError({
+  //     statusCode: 401,
+  //     statusMessage: 'Authentication required'
+  //   })
+  // }
+  
+  // TODO: Add proper role-based authorization
+  // For now, we assume anyone with a valid token is an admin
+})
\ No newline at end of file
diff --git a/app/pages/oidc/login.vue b/app/pages/oidc/login.vue
deleted file mode 100644
index c224c11..0000000
--- a/app/pages/oidc/login.vue
+++ /dev/null
@@ -1,96 +0,0 @@
-<script setup lang="ts">
-definePageMeta({
-  layout: false,
-});
-
-const route = useRoute();
-const uid = route.query.uid as string;
-
-const email = ref("");
-const sent = ref(false);
-const loading = ref(false);
-const error = ref("");
-
-async function sendMagicLink() {
-  if (!email.value || !uid) return;
-  loading.value = true;
-  error.value = "";
-
-  try {
-    await $fetch("/oidc/interaction/login", {
-      method: "POST",
-      body: { email: email.value, uid },
-    });
-    sent.value = true;
-  } catch (e: any) {
-    error.value = e?.data?.statusMessage || "Something went wrong. Please try again.";
-  } finally {
-    loading.value = false;
-  }
-}
-</script>
-
-<template>
-  <div class="min-h-screen flex items-center justify-center bg-gray-50 px-4">
-    <div class="w-full max-w-sm">
-      <div class="bg-white rounded-lg shadow-md p-8">
-        <div class="text-center mb-6">
-          <h1 class="text-2xl font-bold text-gray-900">Ghost Guild Wiki</h1>
-          <p class="mt-2 text-sm text-gray-600">
-            Sign in with your Ghost Guild account
-          </p>
-        </div>
-
-        <template v-if="!sent">
-          <form @submit.prevent="sendMagicLink" class="space-y-4">
-            <div>
-              <label for="email" class="block text-sm font-medium text-gray-700 mb-1">
-                Email address
-              </label>
-              <input
-                id="email"
-                v-model="email"
-                type="email"
-                required
-                placeholder="you@example.com"
-                class="w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm focus:ring-2 focus:ring-blue-500 focus:border-blue-500 text-sm"
-                :disabled="loading"
-              />
-            </div>
-
-            <p v-if="error" class="text-sm text-red-600">{{ error }}</p>
-
-            <button
-              type="submit"
-              :disabled="loading || !email"
-              class="w-full py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed"
-            >
-              {{ loading ? "Sending..." : "Send magic link" }}
-            </button>
-          </form>
-
-          <p class="mt-4 text-xs text-center text-gray-500">
-            We'll send a sign-in link to your email.
-          </p>
-        </template>
-
-        <template v-else>
-          <div class="text-center space-y-3">
-            <div class="text-4xl">✉️</div>
-            <h2 class="text-lg font-semibold text-gray-900">Check your email</h2>
-            <p class="text-sm text-gray-600">
-              We sent a sign-in link to <strong>{{ email }}</strong>.
-              Click the link in the email to continue.
-            </p>
-            <button
-              @click="sent = false; email = '';"
-              class="mt-4 text-sm text-blue-600 hover:text-blue-800"
-            >
-              Use a different email
-            </button>
-          </div>
-        </template>
-      </div>
-    </div>
-  </div>
-</template>
diff --git a/app/plugins/csrf.client.js b/app/plugins/csrf.client.js
deleted file mode 100644
index e5743bc..0000000
--- a/app/plugins/csrf.client.js
+++ /dev/null
@@ -1,23 +0,0 @@
-export default defineNuxtPlugin(() => {
-  const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS'])
-
-  globalThis.$fetch = globalThis.$fetch.create({
-    onRequest({ options }) {
-      const method = (options.method || 'GET').toUpperCase()
-      if (safeMethods.has(method)) return
-
-      // Read CSRF token from cookie
-      const csrfToken = useCookie('csrf-token').value
-      if (csrfToken) {
-        options.headers = options.headers || {}
-        if (options.headers instanceof Headers) {
-          options.headers.set('x-csrf-token', csrfToken)
-        } else if (Array.isArray(options.headers)) {
-          options.headers.push(['x-csrf-token', csrfToken])
-        } else {
-          options.headers['x-csrf-token'] = csrfToken
-        }
-      }
-    }
-  })
-})
diff --git a/docs/SECURITY_EVALUATION.md b/docs/SECURITY_EVALUATION.md
deleted file mode 100644
index b337246..0000000
--- a/docs/SECURITY_EVALUATION.md
+++ /dev/null
@@ -1,282 +0,0 @@
-# Ghost Guild Security Evaluation
-
-**Date:** 2026-02-28 (updated 2026-03-01)
-**Framework:** OWASP ASVS v4.0, Level 1
-**Scope:** Full application stack (Nuxt 4 + Nitro server + MongoDB)
-
----
-
-## Framework Rationale
-
-Ghost Guild handles payments (Helcim), PII, and user-generated content. We evaluated four frameworks before selecting ASVS:
-
-| Framework | Why Not |
-|---|---|
-| PCI-DSS | Too narrow -- only covers payment surface, misses auth/XSS/access control |
-| NIST CSF / ISO 27001 | Organizational frameworks, not application-level |
-| OWASP Top 10 | Too coarse -- categories without testable requirements |
-| **OWASP ASVS L1** | **Selected** -- purpose-built for web apps, testable pass/fail criteria across 14 chapters |
-
-ASVS Level 1 targets "all software" and is achievable for a small team.
-
----
-
-## Findings
-
-### Severity Summary
-
-| Severity | Count | Key Areas |
-|----------|-------|-----------|
-| CRITICAL | 5 | Admin auth disabled, payment verification stub, XSS (markdown + emails), cookie flags |
-| HIGH | 9 | No rate limiting, no CSRF, JWT secret fallback, unauthenticated endpoints, mass assignment |
-| MEDIUM | 5 | Long-lived tokens, Slack secrets unused, devtools, data logging, regex injection |
-| LOW | 2 | User enumeration, email format validation |
-
----
-
-### CRITICAL
-
-#### C1. Admin endpoints completely unprotected
-- **ASVS:** V4.1.1 (Trusted enforcement)
-- **Files:** All routes under `server/api/admin/`
-- **Evidence:** Auth code is commented out with `// TODO: Temporarily disabled auth for testing`. Anyone can list all members, create/delete events, and view revenue dashboard. The Member model has no `role` or `isAdmin` field.
-
-#### C2. Payment verification is a stub
-- **ASVS:** V10.2.1 (Business logic integrity)
-- **File:** `server/api/helcim/verify-payment.post.js`
-- **Evidence:** Returns `{ success: true, cardToken: body.cardToken }` without calling the Helcim API.
-
-#### C3. XSS via unsanitized markdown
-- **ASVS:** V5.3.3 (Output encoding for HTML)
-- **Files:** `app/composables/useMarkdown.js`, `app/pages/members.vue:247`
-- **Evidence:** `marked()` output rendered via `v-html` with no DOMPurify.
-
-#### C4. XSS in email templates
-- **ASVS:** V5.2.6 (Server-side injection)
-- **File:** `server/utils/resend.js` (11+ interpolation points)
-- **Evidence:** User-supplied values interpolated directly into HTML email bodies.
-
-#### C5. Session cookie allows JavaScript access
-- **ASVS:** V3.2.1 (Cookie attributes)
-- **File:** `server/api/auth/verify.get.js:40-45`
-- **Evidence:** `httpOnly: false, secure: false`. Session token accessible to any JavaScript.
-
----
-
-### HIGH
-
-#### H1. No rate limiting on any endpoint
-- **ASVS:** V13.2.5
-- **Evidence:** No rate limiting middleware anywhere. Login, registration, uploads, and payment endpoints are unlimited.
-
-#### H2. No CSRF protection
-- **ASVS:** V3.5.2
-- **Evidence:** No CSRF tokens, double-submit cookies, or CSRF middleware.
-
-#### H3. Hardcoded JWT fallback secret
-- **ASVS:** V6.4.1 (Key management)
-- **File:** `nuxt.config.ts:17`
-- **Evidence:** `jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production'`
-
-#### H4. File upload endpoint unauthenticated
-- **ASVS:** V4.1.3
-- **File:** `server/api/upload/image.post.js`
-- **Evidence:** No auth check. Anyone can upload images.
-
-#### H5. Helcim payment endpoints mostly unauthenticated
-- **ASVS:** V4.1.1
-- **Files:** `verify-payment.post.js`, `initialize-payment.post.js`, `update-billing.post.js`, `subscription.post.js`
-
-#### H6. Mass assignment: helcimCustomerId in allowedFields
-- **ASVS:** V5.1.3
-- **File:** `server/api/members/profile.patch.js:40`
-- **Evidence:** A member can change their own Helcim customer ID.
-
-#### H7. No input validation
-- **ASVS:** V5.1.3
-- **Evidence:** Zod is installed but has zero imports. All validation is ad-hoc.
-
-#### H8. User enumeration on login
-- **ASVS:** V2.1.7
-- **File:** `server/api/auth/login.post.js:24-28`
-- **Evidence:** Returns 404 "No account found" vs success.
-
-#### H9. No security headers
-- **ASVS:** V9.1.1
-- **Evidence:** No CSP, HSTS, X-Frame-Options, or X-Content-Type-Options.
-
----
-
-### MEDIUM
-
-| ID | ASVS | Finding | File |
-|----|------|---------|------|
-| M1 | V2.5.2 | 30-day static session token, no rotation | `verify.get.js:36` |
-| M2 | V10.2.2 | Slack signing secret defined but never used | `nuxt.config.ts:21` |
-| M3 | V7.4.1 | DevTools enabled unconditionally | `nuxt.config.ts:4` |
-| M4 | V7.1.1 | Console logging of payment data and API token substrings | `helcim/customer.post.js:42` |
-| M5 | V5.3.4 | Unescaped regex in directory search | `members/directory.get.js:49-51` |
-
-### LOW
-
-| ID | ASVS | Finding | File |
-|----|------|---------|------|
-| L1 | V2.1.7 | Timing-based enumeration via DB lookup | `auth/login.post.js` |
-| L2 | V5.1.3 | No email format validation on login | `auth/login.post.js:15` |
-
----
-
-## Future Feature Risk Assessment
-
-| Planned Feature | Risk | Must Address First |
-|---|---|---|
-| Rich text member updates | Same XSS pattern as C3 | Fix markdown sanitization (C3) |
-| Resource library with downloads | Unauthenticated upload (H4), malware distribution | Add upload auth (H4), file validation |
-| Etherpad integration | External content rendered unsanitized | Build sanitization utility (C3) |
-| Cal.com integration | API credential exposure | Fix secret management (H3) |
-| Member-proposed events | No admin role model, no approval workflow | Build RBAC (C1) |
-| Advanced search/analytics | Regex injection (M5), privacy leakage | Fix regex escaping (M5) |
-
----
-
-## Remediation Summary (Phases 0-1 + partial Phase 2)
-
-All work lives on branch `security/asvs-remediation`.
-
-### Auth guards (`server/utils/auth.js`)
-- `requireAuth(event)` -- Reads JWT from `auth-token` cookie, verifies against `jwtSecret`, loads member from DB, rejects suspended/cancelled accounts (403). Auto-imported by Nitro.
-- `requireAdmin(event)` -- Calls `requireAuth`, then checks `member.role === 'admin'` (403 if not). Member model gained `role` field (enum: `member`/`admin`, default `member`).
-- Applied to all `server/api/admin/`, `server/api/upload/`, and `server/api/helcim/` endpoints.
-
-### CSRF (`server/middleware/01.csrf.js` + `app/plugins/csrf.client.js`)
-- Double-submit cookie pattern. Middleware generates a random token cookie on first request, then enforces that POST/PATCH/DELETE to `/api/*` include a matching `x-csrf-token` header.
-- Client plugin reads the cookie and attaches the header on every `$fetch` request.
-- Exempt routes: `/api/helcim/webhook`, `/api/slack/webhook`, `/api/auth/verify`.
-
-### Security headers (`server/middleware/02.security-headers.js`)
-- Always: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `X-XSS-Protection: 0`, `Referrer-Policy: strict-origin-when-cross-origin`, `Permissions-Policy: camera=(), microphone=(), geolocation=()`.
-- Production only: HSTS (1 year, includeSubDomains) and CSP allowing Helcim, Cloudinary, and Plausible sources.
-
-### Rate limiting (`server/middleware/03.rate-limit.js`)
-- `rate-limiter-flexible` with in-memory stores, keyed by client IP.
-- Auth endpoints: 5 requests per 5 minutes. Payment endpoints: 10 per minute. Uploads: 10 per minute. General API: 100 per minute.
-- Returns 429 with `Retry-After` header on exhaustion.
-
-### XSS prevention
-- **Markdown** (`app/composables/useMarkdown.js`): `marked()` output sanitized through DOMPurify with explicit allowlists for tags and attributes. Strips script/iframe/object/embed/img and all event handler attributes.
-- **Email templates** (`server/utils/escapeHtml.js`): Pure function escaping `& < > " '` to HTML entities. Applied to all user-supplied interpolations in `server/utils/resend.js`.
-
-### Anti-enumeration (`server/api/auth/login.post.js`)
-- Login returns identical `{ success: true, message: "If this email is registered, we've sent a login link." }` for both existing and non-existing emails.
-
-### Mass assignment (`server/api/members/profile.patch.js`)
-- Explicit allowlist of profile fields. `helcimCustomerId`, `role`, `status`, `email`, `_id` are excluded from the `$set` update.
-
-### Session management
-- 7-day token expiry with refresh endpoint at `/api/auth/refresh`.
-
----
-
-## Remediation Roadmap
-
-### Phase 0: Emergency (before any production traffic) -- COMPLETE
-
-| # | Finding | Fix | ASVS | Status |
-|---|---------|-----|------|--------|
-| 1 | C5 | Set `httpOnly: true`, `secure` conditional on NODE_ENV | V3.2.1 | Done |
-| 2 | C3 | Install `isomorphic-dompurify`, sanitize `marked()` output | V5.3.3 | Done |
-| 3 | C1 | Add `role` field to Member model, re-enable admin auth with role check | V4.1.1 | Done |
-| 4 | C2 | Call Helcim API in verify-payment to confirm transactions server-side | V10.2.1 | Done |
-| 5 | H3 | Throw on missing JWT_SECRET instead of fallback | V6.4.1 | Done |
-
-### Phase 1: Pre-launch (before public access) -- COMPLETE
-
-| # | Finding | Fix | ASVS | Status |
-|---|---------|-----|------|--------|
-| 6 | C4 | Create `escapeHtml()` utility, apply to all email template interpolations | V5.2.6 | Done |
-| 7 | H4 | Add JWT verification to upload endpoint | V4.1.3 | Done |
-| 8 | H5 | Add JWT verification to payment endpoints | V4.1.1 | Done |
-| 9 | H6 | Remove `helcimCustomerId` from `allowedFields` | V5.1.3 | Done |
-| 10 | H2 | Add CSRF double-submit cookie middleware (exempt webhooks) | V3.5.2 | Done |
-| 11 | H9 | Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers | V9.1.1 | Done |
-| 12 | H1 | Add rate limiting to login, registration, upload, payment | V13.2.5 | Done |
-| 13 | H8 | Return identical response for existing/non-existing accounts | V2.1.7 | Done |
-| 14 | -- | Add `status: 'active'` check to auth endpoints | V4.1.1 | Done |
-
-### Phase 2: Hardening (within 30 days of launch) -- PARTIAL
-
-| # | Finding | Fix | ASVS | Status |
-|---|---------|-----|------|--------|
-| 15 | H7 | Implement Zod validation across all API endpoints | V5.1.3 | Open |
-| 16 | M5 | Escape regex in directory search | V5.3.4 | Open |
-| 17 | M4 | Remove sensitive console.log statements | V7.1.1 | Open |
-| 18 | M3 | Make devtools conditional on NODE_ENV | V7.4.1 | Open |
-| 19 | M1 | Shorter session tokens (7d) with refresh endpoint | V2.5.2 | Done |
-| 20 | -- | Create shared `requireAuth()`/`requireAdmin()` utilities | V4.1.1 | Done |
-
-### Phase 3: Before building planned features
-
-| # | Fix | Status |
-|---|-----|--------|
-| 21 | Build sanitization utility (DOMPurify wrapper) for all user-generated HTML | Open |
-| 22 | Design admin role model with granular permissions | Open |
-| 23 | Implement file validation pipeline (type, size, virus scanning) | Open |
-| 24 | Design credential management patterns (encrypted at rest) | Open |
-
----
-
-## Automated Testing
-
-### Framework
-
-Vitest with two test projects:
-
-- **Server tests** (`tests/server/`): Node.js environment, h3 globals stubbed from real h3 functions
-- **Client tests** (`tests/client/`): jsdom environment for browser-side composables
-
-```bash
-npm run test       # Watch mode
-npm run test:run   # Single run (CI)
-```
-
-### Infrastructure
-
-- `tests/server/setup.js` -- Stubs real h3 functions (`getCookie`, `setCookie`, `getMethod`, `getHeader`, `setHeader`, `getRequestURL`, `createError`, `defineEventHandler`, `readBody`, etc.) as globals to simulate Nitro auto-imports. Also stubs `useRuntimeConfig`.
-- `tests/server/helpers/createMockEvent.js` -- Factory that builds real h3 events from Node.js `IncomingMessage`/`ServerResponse` pairs. Accepts `method`, `path`, `headers`, `cookies`, `body`, and `remoteAddress`. Captures response headers via `event._testSetHeaders` for assertions.
-
-### Test Coverage (79 tests across 8 files)
-
-| File | Tests | Security Controls Verified |
-|------|-------|---------------------------|
-| `tests/server/utils/escapeHtml.test.js` | 12 | All 5 HTML entity escapes, null/undefined handling, `<script>` and `<img onerror>` XSS payloads (C4, V5.2.6) |
-| `tests/client/composables/useMarkdown.test.js` | 18 | Script/iframe/object/embed tags stripped, onerror/onclick attrs stripped, javascript: URIs sanitized, safe markdown preserved (C3, V5.3.3) |
-| `tests/server/middleware/csrf.test.js` | 14 | GET/HEAD/OPTIONS bypass, non-API bypass, webhook exemptions, 403 on missing/mismatched token, PATCH/DELETE enforcement, cookie provisioning (H2, V3.5.2) |
-| `tests/server/middleware/security-headers.test.js` | 12 | X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy always set; HSTS + CSP production-only; CSP includes Helcim/Cloudinary/Plausible sources (H9, V9.1.1) |
-| `tests/server/middleware/rate-limit.test.js` | 4 | Auth endpoint 5/5min limit, payment endpoint 10/min limit, IP isolation between clients (H1, V13.2.5) |
-| `tests/server/utils/auth.test.js` | 8 | No cookie = 401, invalid JWT = 401, member not found = 401, suspended = 403, cancelled = 403, active = returns member, non-admin = 403, admin = returns member (C1, V4.1.1) |
-| `tests/server/api/auth-login.test.js` | 4 | Existing and non-existing emails return identical response shape and message, missing email = 400 (H8, V2.1.7) |
-| `tests/server/api/members-profile-patch.test.js` | 7 | `helcimCustomerId`, `role`, `status`, `email`, `_id` blocked from `$set`; allowed fields (`pronouns`, `bio`, `studio`, etc.) and nested objects (`offering`, `lookingFor`) pass through (H6, V5.1.3) |
-
-### Manual Test Cases
-
-These items require browser or network-level verification and are not covered by automated tests:
-
-**Item 1 (Cookie flags):** Open DevTools > Application > Cookies. Verify `auth-token` has `HttpOnly: true`. Run `document.cookie` in console -- `auth-token` must NOT appear. Auth flow must still work.
-
-**Item 4 (Payment verification):** Fake `cardToken` = failure. Real HelcimPay.js flow in test mode = success.
-
-**Item 5 (JWT fallback):** Unset `JWT_SECRET`, start server = crash with clear error. Set it = normal startup.
-
-**Item 7 (Upload auth):** POST `/api/upload/image` with no cookie = 401. With valid auth = success.
-
-**Item 8 (Payment auth):** Each endpoint with no cookie = 401. Full join flow still completes.
-
-### Integration verification (after each phase)
-
-- `npm run test:run` -- all 79 tests pass
-- `npm run build` succeeds
-- Full join flow: free tier + paid tier
-- Full login flow: magic link request, click, redirect to `/members`
-- Profile editing: avatar upload, bio update, privacy settings
-- Admin pages: access control verified
-- `curl` against hardened endpoints: unauthenticated = rejected
diff --git a/nuxt.config.ts b/nuxt.config.ts
index eadc666..208fea0 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -1,7 +1,7 @@
 // https://nuxt.com/docs/api/configuration/nuxt-config
 export default defineNuxtConfig({
   compatibilityDate: "2025-07-15",
-  devtools: { enabled: process.env.NODE_ENV !== 'production' },
+  devtools: { enabled: true },
   modules: ["@nuxt/eslint", "@nuxt/ui", "@nuxtjs/plausible"],
   build: {
     transpile: ["vue-cal"],
@@ -14,15 +14,12 @@ export default defineNuxtConfig({
     // Private keys (server-side only)
     mongodbUri:
       process.env.MONGODB_URI || "mongodb://localhost:27017/ghostguild",
-    jwtSecret: process.env.JWT_SECRET || "",
+    jwtSecret: process.env.JWT_SECRET || "dev-secret-change-in-production",
     resendApiKey: process.env.RESEND_API_KEY || "",
     helcimApiToken: process.env.HELCIM_API_TOKEN || "",
     slackBotToken: process.env.SLACK_BOT_TOKEN || "",
     slackSigningSecret: process.env.SLACK_SIGNING_SECRET || "",
     slackVettingChannelId: process.env.SLACK_VETTING_CHANNEL_ID || "",
-    oidcClientId: process.env.OIDC_CLIENT_ID || "outline-wiki",
-    oidcClientSecret: process.env.OIDC_CLIENT_SECRET || "",
-    oidcCookieSecret: process.env.OIDC_COOKIE_SECRET || "",
 
     // Public keys (available on client-side)
     public: {
diff --git a/package-lock.json b/package-lock.json
index 63183ff..175196e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,17 +14,15 @@
         "@nuxt/ui": "^4.0.0",
         "@nuxtjs/plausible": "^3.0.1",
         "@slack/web-api": "^7.10.0",
+        "bcryptjs": "^3.0.2",
         "chrono-node": "^2.8.4",
         "cloudinary": "^2.7.0",
         "eslint": "^9.34.0",
-        "isomorphic-dompurify": "^3.0.0",
         "jsonwebtoken": "^9.0.2",
         "marked": "^17.0.3",
         "mongoose": "^8.18.0",
         "nitro-cors": "^0.7.1",
         "nuxt": "^4.0.3",
-        "oidc-provider": "^9.6.1",
-        "rate-limiter-flexible": "^9.1.1",
         "resend": "^6.0.1",
         "typescript": "^5.9.2",
         "vue": "^3.5.20",
@@ -32,20 +30,9 @@
         "zod": "^4.1.3"
       },
       "devDependencies": {
-        "@nuxt/test-utils": "^4.0.0",
-        "@tailwindcss/typography": "^0.5.19",
-        "@types/jsonwebtoken": "^9.0.10",
-        "@types/oidc-provider": "^9.5.0",
-        "jsdom": "^28.1.0",
-        "vitest": "^4.0.18"
+        "@tailwindcss/typography": "^0.5.19"
       }
     },
-    "node_modules/@acemir/cssom": {
-      "version": "0.9.31",
-      "resolved": "https://registry.npmjs.org/@acemir/cssom/-/cssom-0.9.31.tgz",
-      "integrity": "sha512-ZnR3GSaH+/vJ0YlHau21FjfLYjMpYVIzTD8M8vIEQvIGxeOXyXdzCI140rrCY862p/C/BbzWsjc1dgnM9mkoTA==",
-      "license": "MIT"
-    },
     "node_modules/@alloc/quick-lru": {
       "version": "5.2.0",
       "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz",
@@ -89,59 +76,6 @@
         "@types/json-schema": "^7.0.15"
       }
     },
-    "node_modules/@asamuzakjp/css-color": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.0.1.tgz",
-      "integrity": "sha512-2SZFvqMyvboVV1d15lMf7XiI3m7SDqXUuKaTymJYLN6dSGadqp+fVojqJlVoMlbZnlTmu3S0TLwLTJpvBMO1Aw==",
-      "license": "MIT",
-      "dependencies": {
-        "@csstools/css-calc": "^3.1.1",
-        "@csstools/css-color-parser": "^4.0.2",
-        "@csstools/css-parser-algorithms": "^4.0.0",
-        "@csstools/css-tokenizer": "^4.0.0",
-        "lru-cache": "^11.2.6"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
-    "node_modules/@asamuzakjp/css-color/node_modules/lru-cache": {
-      "version": "11.2.6",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
-      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
-    "node_modules/@asamuzakjp/dom-selector": {
-      "version": "6.8.1",
-      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-6.8.1.tgz",
-      "integrity": "sha512-MvRz1nCqW0fsy8Qz4dnLIvhOlMzqDVBabZx6lH+YywFDdjXhMY37SmpV1XFX3JzG5GWHn63j6HX6QPr3lZXHvQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@asamuzakjp/nwsapi": "^2.3.9",
-        "bidi-js": "^1.0.3",
-        "css-tree": "^3.1.0",
-        "is-potential-custom-element-name": "^1.0.1",
-        "lru-cache": "^11.2.6"
-      }
-    },
-    "node_modules/@asamuzakjp/dom-selector/node_modules/lru-cache": {
-      "version": "11.2.6",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
-      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
-    "node_modules/@asamuzakjp/nwsapi": {
-      "version": "2.3.9",
-      "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
-      "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
-      "license": "MIT"
-    },
     "node_modules/@babel/code-frame": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -564,18 +498,6 @@
         }
       }
     },
-    "node_modules/@bramus/specificity": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
-      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
-      "license": "MIT",
-      "dependencies": {
-        "css-tree": "^3.0.0"
-      },
-      "bin": {
-        "specificity": "bin/cli.js"
-      }
-    },
     "node_modules/@capsizecss/unpack": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@capsizecss/unpack/-/unpack-4.0.0.tgz",
@@ -659,132 +581,6 @@
         "@cloudinary/html": "^1.13.5"
       }
     },
-    "node_modules/@csstools/color-helpers": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
-      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT-0",
-      "engines": {
-        "node": ">=20.19.0"
-      }
-    },
-    "node_modules/@csstools/css-calc": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.1.1.tgz",
-      "integrity": "sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "@csstools/css-parser-algorithms": "^4.0.0",
-        "@csstools/css-tokenizer": "^4.0.0"
-      }
-    },
-    "node_modules/@csstools/css-color-parser": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.0.2.tgz",
-      "integrity": "sha512-0GEfbBLmTFf0dJlpsNU7zwxRIH0/BGEMuXLTCvFYxuL1tNhqzTbtnFICyJLTNK4a+RechKP75e7w42ClXSnJQw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "@csstools/color-helpers": "^6.0.2",
-        "@csstools/css-calc": "^3.1.1"
-      },
-      "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "@csstools/css-parser-algorithms": "^4.0.0",
-        "@csstools/css-tokenizer": "^4.0.0"
-      }
-    },
-    "node_modules/@csstools/css-parser-algorithms": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
-      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "@csstools/css-tokenizer": "^4.0.0"
-      }
-    },
-    "node_modules/@csstools/css-syntax-patches-for-csstree": {
-      "version": "1.0.28",
-      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.28.tgz",
-      "integrity": "sha512-1NRf1CUBjnr3K7hu8BLxjQrKCxEe8FP/xmPTenAxCRZWVLbmGotkFvG9mfNpjA6k7Bw1bw4BilZq9cu19RA5pg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT-0"
-    },
-    "node_modules/@csstools/css-tokenizer": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
-      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=20.19.0"
-      }
-    },
     "node_modules/@dxup/nuxt": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/@dxup/nuxt/-/nuxt-0.3.2.tgz",
@@ -1573,23 +1369,6 @@
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
       }
     },
-    "node_modules/@exodus/bytes": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.14.1.tgz",
-      "integrity": "sha512-OhkBFWI6GcRMUroChZiopRiSp2iAMvEBK47NhJooDqz1RERO4QuZIZnjP63TXX8GAiLABkYmX+fuQsdJ1dd2QQ==",
-      "license": "MIT",
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      },
-      "peerDependencies": {
-        "@noble/hashes": "^1.8.0 || ^2.0.0"
-      },
-      "peerDependenciesMeta": {
-        "@noble/hashes": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/@floating-ui/core": {
       "version": "1.7.4",
       "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.4.tgz",
@@ -1952,41 +1731,6 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
-    "node_modules/@koa/cors": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@koa/cors/-/cors-5.0.0.tgz",
-      "integrity": "sha512-x/iUDjcS90W69PryLDIMgFyV21YLTnG9zOpPXS7Bkt2b8AsY3zZsIpOLBkYr9fBcF3HbkKaER5hOBZLfpLgYNw==",
-      "license": "MIT",
-      "dependencies": {
-        "vary": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 14.0.0"
-      }
-    },
-    "node_modules/@koa/router": {
-      "version": "15.3.1",
-      "resolved": "https://registry.npmjs.org/@koa/router/-/router-15.3.1.tgz",
-      "integrity": "sha512-n7UgxsPmgKtEsrguz8a0d6BNx3lO2x52Z4UqkGsGwJculk4TlzZf3btd3QZMq1r1M+bSxUkBbyul4mDhysIVaQ==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "^4.4.3",
-        "http-errors": "^2.0.1",
-        "koa-compose": "^4.1.0",
-        "path-to-regexp": "^8.3.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "koa": "^2.0.0 || ^3.0.0"
-      },
-      "peerDependenciesMeta": {
-        "koa": {
-          "optional": false
-        }
-      }
-    },
     "node_modules/@kwsites/file-exists": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/@kwsites/file-exists/-/file-exists-1.1.1.tgz",
@@ -2567,223 +2311,6 @@
       "integrity": "sha512-zpYTCs2byOuft65vI3z43Dd6iSdFbOZZLb9/d21aCpx2rGastVU9dOCv0lu4ykc1Ur1anAYjDi3SUvR0vq50JA==",
       "license": "MIT"
     },
-    "node_modules/@nuxt/test-utils": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@nuxt/test-utils/-/test-utils-4.0.0.tgz",
-      "integrity": "sha512-QJfyCiqYxflUKA5xlEGuXdDApTBhJxoPXxYePIDtA90hkmKbhYs/mrMM+Bi9LiUrI/cCJOPRyIx9jOzhMvTIgg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@clack/prompts": "1.0.0",
-        "@nuxt/devtools-kit": "^2.7.0",
-        "@nuxt/kit": "^3.21.0",
-        "c12": "^3.3.3",
-        "consola": "^3.4.2",
-        "defu": "^6.1.4",
-        "destr": "^2.0.5",
-        "estree-walker": "^3.0.3",
-        "exsolve": "^1.0.8",
-        "fake-indexeddb": "^6.2.5",
-        "get-port-please": "^3.2.0",
-        "h3": "^1.15.5",
-        "h3-next": "npm:h3@2.0.1-rc.11",
-        "local-pkg": "^1.1.2",
-        "magic-string": "^0.30.21",
-        "node-fetch-native": "^1.6.7",
-        "node-mock-http": "^1.0.4",
-        "nypm": "^0.6.4",
-        "ofetch": "^1.5.1",
-        "pathe": "^2.0.3",
-        "perfect-debounce": "^2.1.0",
-        "radix3": "^1.1.2",
-        "scule": "^1.3.0",
-        "std-env": "^3.10.0",
-        "tinyexec": "^1.0.2",
-        "ufo": "^1.6.3",
-        "unplugin": "^3.0.0",
-        "vitest-environment-nuxt": "^1.0.1",
-        "vue": "^3.5.27"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      },
-      "peerDependencies": {
-        "@cucumber/cucumber": ">=11.0.0",
-        "@jest/globals": ">=30.0.0",
-        "@playwright/test": "^1.43.1",
-        "@testing-library/vue": "^8.0.1",
-        "@vue/test-utils": "^2.4.2",
-        "happy-dom": ">=20.0.11",
-        "jsdom": ">=27.4.0",
-        "playwright-core": "^1.43.1",
-        "vitest": "^4.0.2"
-      },
-      "peerDependenciesMeta": {
-        "@cucumber/cucumber": {
-          "optional": true
-        },
-        "@jest/globals": {
-          "optional": true
-        },
-        "@playwright/test": {
-          "optional": true
-        },
-        "@testing-library/vue": {
-          "optional": true
-        },
-        "@vitest/ui": {
-          "optional": true
-        },
-        "@vue/test-utils": {
-          "optional": true
-        },
-        "happy-dom": {
-          "optional": true
-        },
-        "jsdom": {
-          "optional": true
-        },
-        "playwright-core": {
-          "optional": true
-        },
-        "vitest": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/@clack/core": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@clack/core/-/core-1.0.0.tgz",
-      "integrity": "sha512-Orf9Ltr5NeiEuVJS8Rk2XTw3IxNC2Bic3ash7GgYeA8LJ/zmSNpSQ/m5UAhe03lA6KFgklzZ5KTHs4OAMA/SAQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "picocolors": "^1.0.0",
-        "sisteransi": "^1.0.5"
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/@clack/prompts": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@clack/prompts/-/prompts-1.0.0.tgz",
-      "integrity": "sha512-rWPXg9UaCFqErJVQ+MecOaWsozjaxol4yjnmYcGNipAWzdaWa2x+VJmKfGq7L0APwBohQOYdHC+9RO4qRXej+A==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@clack/core": "1.0.0",
-        "picocolors": "^1.0.0",
-        "sisteransi": "^1.0.5"
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/@nuxt/devtools-kit": {
-      "version": "2.7.0",
-      "resolved": "https://registry.npmjs.org/@nuxt/devtools-kit/-/devtools-kit-2.7.0.tgz",
-      "integrity": "sha512-MIJdah6CF6YOW2GhfKnb8Sivu6HpcQheqdjOlZqShBr+1DyjtKQbAKSCAyKPaoIzZP4QOo2SmTFV6aN8jBeEIQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@nuxt/kit": "^3.19.3",
-        "execa": "^8.0.1"
-      },
-      "peerDependencies": {
-        "vite": ">=6.0"
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/@nuxt/kit": {
-      "version": "3.21.1",
-      "resolved": "https://registry.npmjs.org/@nuxt/kit/-/kit-3.21.1.tgz",
-      "integrity": "sha512-QORZRjcuTKgo++XP1Pc2c2gqwRydkaExrIRfRI9vFsPA3AzuHVn5Gfmbv1ic8y34e78mr5DMBvJlelUaeOuajg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "c12": "^3.3.3",
-        "consola": "^3.4.2",
-        "defu": "^6.1.4",
-        "destr": "^2.0.5",
-        "errx": "^0.1.0",
-        "exsolve": "^1.0.8",
-        "ignore": "^7.0.5",
-        "jiti": "^2.6.1",
-        "klona": "^2.0.6",
-        "knitwork": "^1.3.0",
-        "mlly": "^1.8.0",
-        "ohash": "^2.0.11",
-        "pathe": "^2.0.3",
-        "pkg-types": "^2.3.0",
-        "rc9": "^3.0.0",
-        "scule": "^1.3.0",
-        "semver": "^7.7.4",
-        "tinyglobby": "^0.2.15",
-        "ufo": "^1.6.3",
-        "unctx": "^2.5.0",
-        "untyped": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=18.12.0"
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/crossws": {
-      "version": "0.4.4",
-      "resolved": "https://registry.npmjs.org/crossws/-/crossws-0.4.4.tgz",
-      "integrity": "sha512-w6c4OdpRNnudVmcgr7brb/+/HmYjMQvYToO/oTrprTwxRUiom3LYWU1PMWuD006okbUWpII1Ea9/+kwpUfmyRg==",
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "peer": true,
-      "peerDependencies": {
-        "srvx": ">=0.7.1"
-      },
-      "peerDependenciesMeta": {
-        "srvx": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/estree-walker": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
-      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/estree": "^1.0.0"
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/h3-next": {
-      "name": "h3",
-      "version": "2.0.1-rc.11",
-      "resolved": "https://registry.npmjs.org/h3/-/h3-2.0.1-rc.11.tgz",
-      "integrity": "sha512-2myzjCqy32c1As9TjZW9fNZXtLqNedjFSrdFy2AjFBQQ3LzrnGoDdFDYfC0tV2e4vcyfJ2Sfo/F6NQhO2Ly/Mw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "rou3": "^0.7.12",
-        "srvx": "^0.10.1"
-      },
-      "engines": {
-        "node": ">=20.11.1"
-      },
-      "peerDependencies": {
-        "crossws": "^0.4.1"
-      },
-      "peerDependenciesMeta": {
-        "crossws": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@nuxt/test-utils/node_modules/srvx": {
-      "version": "0.10.1",
-      "resolved": "https://registry.npmjs.org/srvx/-/srvx-0.10.1.tgz",
-      "integrity": "sha512-A//xtfak4eESMWWydSRFUVvCTQbSwivnGCEf8YGPe2eHU0+Z6znfUTCPF0a7oV3sObSOcrXHlL6Bs9vVctfXdg==",
-      "dev": true,
-      "license": "MIT",
-      "bin": {
-        "srvx": "bin/srvx.mjs"
-      },
-      "engines": {
-        "node": ">=20.16.0"
-      }
-    },
     "node_modules/@nuxt/ui": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@nuxt/ui/-/ui-4.5.0.tgz",
@@ -6000,171 +5527,18 @@
         "tslib": "^2.4.0"
       }
     },
-    "node_modules/@types/accepts": {
-      "version": "1.3.7",
-      "resolved": "https://registry.npmjs.org/@types/accepts/-/accepts-1.3.7.tgz",
-      "integrity": "sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/body-parser": {
-      "version": "1.19.6",
-      "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.6.tgz",
-      "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/connect": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/chai": {
-      "version": "5.2.3",
-      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
-      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/deep-eql": "*",
-        "assertion-error": "^2.0.1"
-      }
-    },
-    "node_modules/@types/connect": {
-      "version": "3.4.38",
-      "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.38.tgz",
-      "integrity": "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/content-disposition": {
-      "version": "0.5.9",
-      "resolved": "https://registry.npmjs.org/@types/content-disposition/-/content-disposition-0.5.9.tgz",
-      "integrity": "sha512-8uYXI3Gw35MhiVYhG3s295oihrxRyytcRHjSjqnqZVDDy/xcGBRny7+Xj1Wgfhv5QzRtN2hB2dVRBUX9XW3UcQ==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@types/cookies": {
-      "version": "0.9.2",
-      "resolved": "https://registry.npmjs.org/@types/cookies/-/cookies-0.9.2.tgz",
-      "integrity": "sha512-1AvkDdZM2dbyFybL4fxpuNCaWyv//0AwsuUk2DWeXyM1/5ZKm6W3z6mQi24RZ4l2ucY+bkSHzbDVpySqPGuV8A==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/connect": "*",
-        "@types/express": "*",
-        "@types/keygrip": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/deep-eql": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
-      "integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/estree": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
       "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
       "license": "MIT"
     },
-    "node_modules/@types/express": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/@types/express/-/express-5.0.6.tgz",
-      "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/body-parser": "*",
-        "@types/express-serve-static-core": "^5.0.0",
-        "@types/serve-static": "^2"
-      }
-    },
-    "node_modules/@types/express-serve-static-core": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-5.1.1.tgz",
-      "integrity": "sha512-v4zIMr/cX7/d2BpAEX3KNKL/JrT1s43s96lLvvdTmza1oEvDudCqK9aF/djc/SWgy8Yh0h30TZx5VpzqFCxk5A==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*",
-        "@types/qs": "*",
-        "@types/range-parser": "*",
-        "@types/send": "*"
-      }
-    },
-    "node_modules/@types/http-assert": {
-      "version": "1.5.6",
-      "resolved": "https://registry.npmjs.org/@types/http-assert/-/http-assert-1.5.6.tgz",
-      "integrity": "sha512-TTEwmtjgVbYAzZYWyeHPrrtWnfVkm8tQkP8P21uQifPgMRgjrow3XDEYqucuC8SKZJT7pUnhU/JymvjggxO9vw==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@types/http-errors": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.5.tgz",
-      "integrity": "sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/json-schema": {
       "version": "7.0.15",
       "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
       "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
       "license": "MIT"
     },
-    "node_modules/@types/jsonwebtoken": {
-      "version": "9.0.10",
-      "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz",
-      "integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/ms": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/keygrip": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/@types/keygrip/-/keygrip-1.0.6.tgz",
-      "integrity": "sha512-lZuNAY9xeJt7Bx4t4dx0rYCDqGPW8RXhQZK1td7d4H6E9zYbLoOtjBvfwdTKpsyxQI/2jv+armjX/RW+ZNpXOQ==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@types/koa": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@types/koa/-/koa-3.0.1.tgz",
-      "integrity": "sha512-VkB6WJUQSe0zBpR+Q7/YIUESGp5wPHcaXr0xueU5W0EOUWtlSbblsl+Kl31lyRQ63nIILh0e/7gXjQ09JXJIHw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/accepts": "*",
-        "@types/content-disposition": "*",
-        "@types/cookies": "*",
-        "@types/http-assert": "*",
-        "@types/http-errors": "^2",
-        "@types/keygrip": "*",
-        "@types/koa-compose": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/koa-compose": {
-      "version": "3.2.9",
-      "resolved": "https://registry.npmjs.org/@types/koa-compose/-/koa-compose-3.2.9.tgz",
-      "integrity": "sha512-BroAZ9FTvPiCy0Pi8tjD1OfJ7bgU1gQf0eR6e1Vm+JJATy9eKOG3hQMFtMciMawiSOVnLMdmUOC46s7HBhSTsA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/koa": "*"
-      }
-    },
     "node_modules/@types/linkify-it": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/@types/linkify-it/-/linkify-it-5.0.0.tgz",
@@ -6211,13 +5585,6 @@
       "integrity": "sha512-RGdgjQUZba5p6QEFAVx2OGb8rQDL/cPRG7GiedRzMcJ1tYnUANBncjbSB1NRGwbvjcPeikRABz2nshyPk1bhWg==",
       "license": "MIT"
     },
-    "node_modules/@types/ms": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
-      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/node": {
       "version": "25.3.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.0.tgz",
@@ -6227,32 +5594,6 @@
         "undici-types": "~7.18.0"
       }
     },
-    "node_modules/@types/oidc-provider": {
-      "version": "9.5.0",
-      "resolved": "https://registry.npmjs.org/@types/oidc-provider/-/oidc-provider-9.5.0.tgz",
-      "integrity": "sha512-eEzCRVTSqIHD9Bo/qRJ4XQWQ5Z/zBcG+Z2cGJluRsSuWx1RJihqRyPxhIEpMXTwPzHYRTQkVp7hwisQOwzzSAg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/keygrip": "*",
-        "@types/koa": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@types/range-parser": {
-      "version": "1.2.7",
-      "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.7.tgz",
-      "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/resolve": {
       "version": "1.20.2",
       "resolved": "https://registry.npmjs.org/@types/resolve/-/resolve-1.20.2.tgz",
@@ -6265,34 +5606,6 @@
       "integrity": "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==",
       "license": "MIT"
     },
-    "node_modules/@types/send": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/@types/send/-/send-1.2.1.tgz",
-      "integrity": "sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/serve-static": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-2.2.0.tgz",
-      "integrity": "sha512-8mam4H1NHLtu7nmtalF7eyBH14QyOASmcxHhSfEoRyr0nP/YdoesEtU+uSRvMe96TW/HPTtkoKqQLl53N7UXMQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/http-errors": "*",
-        "@types/node": "*"
-      }
-    },
-    "node_modules/@types/trusted-types": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
-      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
-      "license": "MIT",
-      "optional": true
-    },
     "node_modules/@types/web-bluetooth": {
       "version": "0.0.21",
       "resolved": "https://registry.npmjs.org/@types/web-bluetooth/-/web-bluetooth-0.0.21.tgz",
@@ -6891,127 +6204,6 @@
         "vue": "^3.0.0"
       }
     },
-    "node_modules/@vitest/expect": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.0.18.tgz",
-      "integrity": "sha512-8sCWUyckXXYvx4opfzVY03EOiYVxyNrHS5QxX3DAIi5dpJAAkyJezHCP77VMX4HKA2LDT/Jpfo8i2r5BE3GnQQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@standard-schema/spec": "^1.0.0",
-        "@types/chai": "^5.2.2",
-        "@vitest/spy": "4.0.18",
-        "@vitest/utils": "4.0.18",
-        "chai": "^6.2.1",
-        "tinyrainbow": "^3.0.3"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
-    "node_modules/@vitest/mocker": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.0.18.tgz",
-      "integrity": "sha512-HhVd0MDnzzsgevnOWCBj5Otnzobjy5wLBe4EdeeFGv8luMsGcYqDuFRMcttKWZA5vVO8RFjexVovXvAM4JoJDQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/spy": "4.0.18",
-        "estree-walker": "^3.0.3",
-        "magic-string": "^0.30.21"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      },
-      "peerDependencies": {
-        "msw": "^2.4.9",
-        "vite": "^6.0.0 || ^7.0.0-0"
-      },
-      "peerDependenciesMeta": {
-        "msw": {
-          "optional": true
-        },
-        "vite": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@vitest/mocker/node_modules/estree-walker": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
-      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/estree": "^1.0.0"
-      }
-    },
-    "node_modules/@vitest/pretty-format": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.0.18.tgz",
-      "integrity": "sha512-P24GK3GulZWC5tz87ux0m8OADrQIUVDPIjjj65vBXYG17ZeU3qD7r+MNZ1RNv4l8CGU2vtTRqixrOi9fYk/yKw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "tinyrainbow": "^3.0.3"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
-    "node_modules/@vitest/runner": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.0.18.tgz",
-      "integrity": "sha512-rpk9y12PGa22Jg6g5M3UVVnTS7+zycIGk9ZNGN+m6tZHKQb7jrP7/77WfZy13Y/EUDd52NDsLRQhYKtv7XfPQw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/utils": "4.0.18",
-        "pathe": "^2.0.3"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
-    "node_modules/@vitest/snapshot": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.0.18.tgz",
-      "integrity": "sha512-PCiV0rcl7jKQjbgYqjtakly6T1uwv/5BQ9SwBLekVg/EaYeQFPiXcgrC2Y7vDMA8dM1SUEAEV82kgSQIlXNMvA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/pretty-format": "4.0.18",
-        "magic-string": "^0.30.21",
-        "pathe": "^2.0.3"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
-    "node_modules/@vitest/spy": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.0.18.tgz",
-      "integrity": "sha512-cbQt3PTSD7P2OARdVW3qWER5EGq7PHlvE+QfzSC0lbwO+xnt7+XH06ZzFjFRgzUX//JmpxrCu92VdwvEPlWSNw==",
-      "dev": true,
-      "license": "MIT",
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
-    "node_modules/@vitest/utils": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.0.18.tgz",
-      "integrity": "sha512-msMRKLMVLWygpK3u2Hybgi4MNjcYJvwTb0Ru09+fOyCXIgT5raYP041DRRdiJiI3k/2U6SEbAETB3YtBrUkCFA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/pretty-format": "4.0.18",
-        "tinyrainbow": "^3.0.3"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      }
-    },
     "node_modules/@volar/language-core": {
       "version": "2.4.28",
       "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.4.28.tgz",
@@ -7416,19 +6608,6 @@
         "node": ">=6.5"
       }
     },
-    "node_modules/accepts": {
-      "version": "1.3.8",
-      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
-      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-types": "~2.1.34",
-        "negotiator": "0.6.3"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/acorn": {
       "version": "8.16.0",
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
@@ -7669,16 +6848,6 @@
         "node": ">=10"
       }
     },
-    "node_modules/assertion-error": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
-      "integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      }
-    },
     "node_modules/ast-kit": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/ast-kit/-/ast-kit-2.2.0.tgz",
@@ -7845,13 +7014,13 @@
         "node": ">=6.0.0"
       }
     },
-    "node_modules/bidi-js": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
-      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
-      "license": "MIT",
-      "dependencies": {
-        "require-from-string": "^2.0.2"
+    "node_modules/bcryptjs": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-3.0.3.tgz",
+      "integrity": "sha512-GlF5wPWnSa/X5LKM1o0wz0suXIINz1iHRLvTS+sLyi7XPbe5ycmYI3DlZqVGZZtDgl4DmasFg7gOB3JYbphV5g==",
+      "license": "BSD-3-Clause",
+      "bin": {
+        "bcrypt": "bin/bcrypt"
       }
     },
     "node_modules/bindings": {
@@ -8031,15 +7200,6 @@
         "esbuild": ">=0.18"
       }
     },
-    "node_modules/bytes": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
-      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/c12": {
       "version": "3.3.3",
       "resolved": "https://registry.npmjs.org/c12/-/c12-3.3.3.tgz",
@@ -8141,16 +7301,6 @@
       ],
       "license": "CC-BY-4.0"
     },
-    "node_modules/chai": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
-      "integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/chalk": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -8414,28 +7564,6 @@
         "node": "^14.18.0 || >=16.10.0"
       }
     },
-    "node_modules/content-disposition": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz",
-      "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/content-type": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
-      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/convert-source-map": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -8448,19 +7576,6 @@
       "integrity": "sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==",
       "license": "MIT"
     },
-    "node_modules/cookies": {
-      "version": "0.9.1",
-      "resolved": "https://registry.npmjs.org/cookies/-/cookies-0.9.1.tgz",
-      "integrity": "sha512-TG2hpqe4ELx54QER/S3HQ9SRVnQnGBtKUz5bLQWtYAQ+o6GpgMs6sYUvaiJjVxb+UXwhRhAEP3m7LbsIZ77Hmw==",
-      "license": "MIT",
-      "dependencies": {
-        "depd": "~2.0.0",
-        "keygrip": "~1.1.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/copy-anything": {
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/copy-anything/-/copy-anything-4.0.5.tgz",
@@ -8740,84 +7855,12 @@
       "integrity": "sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==",
       "license": "CC0-1.0"
     },
-    "node_modules/cssstyle": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-6.1.0.tgz",
-      "integrity": "sha512-Ml4fP2UT2K3CUBQnVlbdV/8aFDdlY69E+YnwJM+3VUWl08S3J8c8aRuJqCkD9Py8DHZ7zNNvsfKl8psocHZEFg==",
-      "license": "MIT",
-      "dependencies": {
-        "@asamuzakjp/css-color": "^5.0.0",
-        "@csstools/css-syntax-patches-for-csstree": "^1.0.28",
-        "css-tree": "^3.1.0",
-        "lru-cache": "^11.2.6"
-      },
-      "engines": {
-        "node": ">=20"
-      }
-    },
-    "node_modules/cssstyle/node_modules/lru-cache": {
-      "version": "11.2.6",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
-      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
     "node_modules/csstype": {
       "version": "3.2.3",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
       "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
       "license": "MIT"
     },
-    "node_modules/data-urls": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
-      "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
-      "license": "MIT",
-      "dependencies": {
-        "whatwg-mimetype": "^5.0.0",
-        "whatwg-url": "^16.0.0"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
-    "node_modules/data-urls/node_modules/tr46": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
-      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
-      "license": "MIT",
-      "dependencies": {
-        "punycode": "^2.3.1"
-      },
-      "engines": {
-        "node": ">=20"
-      }
-    },
-    "node_modules/data-urls/node_modules/webidl-conversions": {
-      "version": "8.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
-      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
-      "license": "BSD-2-Clause",
-      "engines": {
-        "node": ">=20"
-      }
-    },
-    "node_modules/data-urls/node_modules/whatwg-url": {
-      "version": "16.0.1",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
-      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
-      "license": "MIT",
-      "dependencies": {
-        "@exodus/bytes": "^1.11.0",
-        "tr46": "^6.0.0",
-        "webidl-conversions": "^8.0.1"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
     "node_modules/db0": {
       "version": "0.3.4",
       "resolved": "https://registry.npmjs.org/db0/-/db0-0.3.4.tgz",
@@ -8869,18 +7912,6 @@
         }
       }
     },
-    "node_modules/decimal.js": {
-      "version": "10.6.0",
-      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
-      "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
-      "license": "MIT"
-    },
-    "node_modules/deep-equal": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-1.0.1.tgz",
-      "integrity": "sha512-bHtC0iYvWhyaTzvV3CZgPeZQqCOBGyGsVV7v4eevpdkLHfiSrXUdBG+qAuSz4RI70sszvjQ1QSZ98An1yNwpSw==",
-      "license": "MIT"
-    },
     "node_modules/deep-is": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -8948,12 +7979,6 @@
         "node": ">=0.4.0"
       }
     },
-    "node_modules/delegates": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
-      "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==",
-      "license": "MIT"
-    },
     "node_modules/denque": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz",
@@ -8978,16 +8003,6 @@
       "integrity": "sha512-ugFTXCtDZunbzasqBxrK93Ik/DRYsO6S/fedkWEMKqt04xZ4csmnmwGDBAb07QWNaGMAmnTIemsYZCksjATwsA==",
       "license": "MIT"
     },
-    "node_modules/destroy": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
-      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8",
-        "npm": "1.2.8000 || >= 1.4.16"
-      }
-    },
     "node_modules/detect-libc": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
@@ -9065,15 +8080,6 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
-    "node_modules/dompurify": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
-      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
-      "license": "(MPL-2.0 OR Apache-2.0)",
-      "optionalDependencies": {
-        "@types/trusted-types": "^2.0.7"
-      }
-    },
     "node_modules/domutils": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
@@ -10018,18 +9024,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/eta": {
-      "version": "4.5.1",
-      "resolved": "https://registry.npmjs.org/eta/-/eta-4.5.1.tgz",
-      "integrity": "sha512-EaNCGm+8XEIU7YNcc+THptWAO5NfKBHHARxt+wxZljj9bTr/+arRoOm9/MpGt4n6xn9fLnPFRSoLD0WFYGFUxQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=20"
-      },
-      "funding": {
-        "url": "https://github.com/bgub/eta?sponsor=1"
-      }
-    },
     "node_modules/etag": {
       "version": "1.8.1",
       "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
@@ -10107,32 +9101,12 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/expect-type": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
-      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=12.0.0"
-      }
-    },
     "node_modules/exsolve": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/exsolve/-/exsolve-1.0.8.tgz",
       "integrity": "sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==",
       "license": "MIT"
     },
-    "node_modules/fake-indexeddb": {
-      "version": "6.2.5",
-      "resolved": "https://registry.npmjs.org/fake-indexeddb/-/fake-indexeddb-6.2.5.tgz",
-      "integrity": "sha512-CGnyrvbhPlWYMngksqrSSUT1BAVP49dZocrHuK0SvtR0D5TMs5wP0o3j7jexDJW01KSadjBp1M/71o/KR3nD1w==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -10787,18 +9761,6 @@
       "integrity": "sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==",
       "license": "MIT"
     },
-    "node_modules/html-encoding-sniffer": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
-      "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
-      "license": "MIT",
-      "dependencies": {
-        "@exodus/bytes": "^1.6.0"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
     "node_modules/html-entities": {
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.6.0.tgz",
@@ -10815,53 +9777,6 @@
       ],
       "license": "MIT"
     },
-    "node_modules/http-assert": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/http-assert/-/http-assert-1.5.0.tgz",
-      "integrity": "sha512-uPpH7OKX4H25hBmU6G1jWNaqJGpTXxey+YOUizJUAgu0AjLUeC8D73hTrhvDS5D+GJN1DN1+hhc/eF/wpxtp0w==",
-      "license": "MIT",
-      "dependencies": {
-        "deep-equal": "~1.0.1",
-        "http-errors": "~1.8.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/http-assert/node_modules/depd": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
-      "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/http-assert/node_modules/http-errors": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz",
-      "integrity": "sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g==",
-      "license": "MIT",
-      "dependencies": {
-        "depd": "~1.1.2",
-        "inherits": "2.0.4",
-        "setprototypeof": "1.2.0",
-        "statuses": ">= 1.5.0 < 2",
-        "toidentifier": "1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/http-assert/node_modules/statuses": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
-      "integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/http-errors": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
@@ -10882,19 +9797,6 @@
         "url": "https://opencollective.com/express"
       }
     },
-    "node_modules/http-proxy-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
-      "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "^7.1.0",
-        "debug": "^4.3.4"
-      },
-      "engines": {
-        "node": ">= 14"
-      }
-    },
     "node_modules/http-shutdown": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/http-shutdown/-/http-shutdown-1.2.2.tgz",
@@ -11235,12 +10137,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/is-potential-custom-element-name": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
-      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
-      "license": "MIT"
-    },
     "node_modules/is-reference": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-1.2.1.tgz",
@@ -11316,19 +10212,6 @@
       "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
       "license": "ISC"
     },
-    "node_modules/isomorphic-dompurify": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/isomorphic-dompurify/-/isomorphic-dompurify-3.0.0.tgz",
-      "integrity": "sha512-5K+MYP7Nrg74+Bi+QmQGzQ/FgEOyVHWsN8MuJy5wYQxxBRxPnWsD25Tjjt5FWYhan3OQ+vNLubyNJH9dfG03lQ==",
-      "license": "MIT",
-      "dependencies": {
-        "dompurify": "^3.3.1",
-        "jsdom": "^28.0.0"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
     "node_modules/isomorphic.js": {
       "version": "0.2.5",
       "resolved": "https://registry.npmjs.org/isomorphic.js/-/isomorphic.js-0.2.5.tgz",
@@ -11364,15 +10247,6 @@
         "jiti": "lib/jiti-cli.mjs"
       }
     },
-    "node_modules/jose": {
-      "version": "6.1.3",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.3.tgz",
-      "integrity": "sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/panva"
-      }
-    },
     "node_modules/js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
@@ -11400,90 +10274,6 @@
         "node": ">=20.0.0"
       }
     },
-    "node_modules/jsdom": {
-      "version": "28.1.0",
-      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-28.1.0.tgz",
-      "integrity": "sha512-0+MoQNYyr2rBHqO1xilltfDjV9G7ymYGlAUazgcDLQaUf8JDHbuGwsxN6U9qWaElZ4w1B2r7yEGIL3GdeW3Rug==",
-      "license": "MIT",
-      "dependencies": {
-        "@acemir/cssom": "^0.9.31",
-        "@asamuzakjp/dom-selector": "^6.8.1",
-        "@bramus/specificity": "^2.4.2",
-        "@exodus/bytes": "^1.11.0",
-        "cssstyle": "^6.0.1",
-        "data-urls": "^7.0.0",
-        "decimal.js": "^10.6.0",
-        "html-encoding-sniffer": "^6.0.0",
-        "http-proxy-agent": "^7.0.2",
-        "https-proxy-agent": "^7.0.6",
-        "is-potential-custom-element-name": "^1.0.1",
-        "parse5": "^8.0.0",
-        "saxes": "^6.0.0",
-        "symbol-tree": "^3.2.4",
-        "tough-cookie": "^6.0.0",
-        "undici": "^7.21.0",
-        "w3c-xmlserializer": "^5.0.0",
-        "webidl-conversions": "^8.0.1",
-        "whatwg-mimetype": "^5.0.0",
-        "whatwg-url": "^16.0.0",
-        "xml-name-validator": "^5.0.0"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      },
-      "peerDependencies": {
-        "canvas": "^3.0.0"
-      },
-      "peerDependenciesMeta": {
-        "canvas": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/jsdom/node_modules/tr46": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
-      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
-      "license": "MIT",
-      "dependencies": {
-        "punycode": "^2.3.1"
-      },
-      "engines": {
-        "node": ">=20"
-      }
-    },
-    "node_modules/jsdom/node_modules/webidl-conversions": {
-      "version": "8.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
-      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
-      "license": "BSD-2-Clause",
-      "engines": {
-        "node": ">=20"
-      }
-    },
-    "node_modules/jsdom/node_modules/whatwg-url": {
-      "version": "16.0.1",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
-      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
-      "license": "MIT",
-      "dependencies": {
-        "@exodus/bytes": "^1.11.0",
-        "tr46": "^6.0.0",
-        "webidl-conversions": "^8.0.1"
-      },
-      "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      }
-    },
-    "node_modules/jsdom/node_modules/xml-name-validator": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
-      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/jsesc": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
@@ -11588,18 +10378,6 @@
         "node": ">=12.0.0"
       }
     },
-    "node_modules/keygrip": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.1.0.tgz",
-      "integrity": "sha512-iYSchDJ+liQ8iwbSI2QqsQOvqv58eJCEanyJPJi+Khyu8smkcKSFUCbPwzFcL7YVtZ6eONjqRX/38caJ7QjRAQ==",
-      "license": "MIT",
-      "dependencies": {
-        "tsscmp": "1.0.6"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/keyv": {
       "version": "4.5.4",
       "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
@@ -11633,75 +10411,6 @@
       "integrity": "sha512-4LqMNoONzR43B1W0ek0fhXMsDNW/zxa1NdFAVMY+k28pgZLovR4G3PB5MrpTxCy1QaZCqNoiaKPr5w5qZHfSNw==",
       "license": "MIT"
     },
-    "node_modules/koa": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/koa/-/koa-3.1.2.tgz",
-      "integrity": "sha512-2LOQnFKu3m0VxpE+5sb5+BRTSKrXmNxGgxVRiKwD9s5KQB1zID/FRXhtzeV7RT1L2GVpdEEAfVuclFOMGl1ikA==",
-      "license": "MIT",
-      "dependencies": {
-        "accepts": "^1.3.8",
-        "content-disposition": "~1.0.1",
-        "content-type": "^1.0.5",
-        "cookies": "~0.9.1",
-        "delegates": "^1.0.0",
-        "destroy": "^1.2.0",
-        "encodeurl": "^2.0.0",
-        "escape-html": "^1.0.3",
-        "fresh": "~0.5.2",
-        "http-assert": "^1.5.0",
-        "http-errors": "^2.0.0",
-        "koa-compose": "^4.1.0",
-        "mime-types": "^3.0.1",
-        "on-finished": "^2.4.1",
-        "parseurl": "^1.3.3",
-        "statuses": "^2.0.1",
-        "type-is": "^2.0.1",
-        "vary": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/koa-compose": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/koa-compose/-/koa-compose-4.1.0.tgz",
-      "integrity": "sha512-8ODW8TrDuMYvXRwra/Kh7/rJo9BtOfPc6qO8eAfC80CnCvSjSl0bkRM24X6/XBBEyj0v1nRUQ1LyOy3dbqOWXw==",
-      "license": "MIT"
-    },
-    "node_modules/koa/node_modules/fresh": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
-      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/koa/node_modules/mime-db": {
-      "version": "1.54.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
-      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/koa/node_modules/mime-types": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
-      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "^1.54.0"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/launch-editor": {
       "version": "2.13.0",
       "resolved": "https://registry.npmjs.org/launch-editor/-/launch-editor-2.13.0.tgz",
@@ -12377,15 +11086,6 @@
       "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
       "license": "MIT"
     },
-    "node_modules/media-typer": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz",
-      "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/memory-pager": {
       "version": "1.5.0",
       "resolved": "https://registry.npmjs.org/memory-pager/-/memory-pager-1.5.0.tgz",
@@ -12752,15 +11452,6 @@
       "integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==",
       "license": "MIT"
     },
-    "node_modules/negotiator": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
-      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/nitro-cors": {
       "version": "0.7.1",
       "resolved": "https://registry.npmjs.org/nitro-cors/-/nitro-cors-0.7.1.tgz",
@@ -13205,27 +11896,6 @@
       "integrity": "sha512-RdR9FQrFwNBNXAr4GixM8YaRZRJ5PUWbKYbE5eOsrwAjJW0q2REGcf79oYPsLyskQCZG1PLN+S/K1V00joZAoQ==",
       "license": "MIT"
     },
-    "node_modules/oidc-provider": {
-      "version": "9.6.1",
-      "resolved": "https://registry.npmjs.org/oidc-provider/-/oidc-provider-9.6.1.tgz",
-      "integrity": "sha512-8AtFXE4gEV6MLd8Re78VhqGNjBm/SUw0fUxrP2XwQc+5DZKw6GyuTuy2M4jkidpH3jRrhtkkqQpXlxD1Awi6tg==",
-      "license": "MIT",
-      "dependencies": {
-        "@koa/cors": "^5.0.0",
-        "@koa/router": "^15.3.0",
-        "debug": "^4.4.3",
-        "eta": "^4.5.1",
-        "jose": "^6.1.3",
-        "jsesc": "^3.1.0",
-        "koa": "^3.1.1",
-        "nanoid": "^5.1.6",
-        "quick-lru": "^7.3.0",
-        "raw-body": "^3.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/panva"
-      }
-    },
     "node_modules/on-change": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/on-change/-/on-change-6.0.2.tgz",
@@ -13574,30 +12244,6 @@
       "integrity": "sha512-HlsyYdMBnbPQ9Jr/VgJ1YF4scnldvJpJxCVx6KgqPL4dxppsWrJHCIIxQXMJrqGnsRkNPATbeMJ8Yxu7JMsYcA==",
       "license": "MIT"
     },
-    "node_modules/parse5": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz",
-      "integrity": "sha512-9m4m5GSgXjL4AjumKzq1Fgfp3Z8rsvjRNbnkVwfu2ImRqE5D0LnY2QfDen18FSY9C573YU5XxSapdHZTZ2WolA==",
-      "license": "MIT",
-      "dependencies": {
-        "entities": "^6.0.0"
-      },
-      "funding": {
-        "url": "https://github.com/inikulin/parse5?sponsor=1"
-      }
-    },
-    "node_modules/parse5/node_modules/entities": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz",
-      "integrity": "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==",
-      "license": "BSD-2-Clause",
-      "engines": {
-        "node": ">=0.12"
-      },
-      "funding": {
-        "url": "https://github.com/fb55/entities?sponsor=1"
-      }
-    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -13662,16 +12308,6 @@
         "node": "20 || >=22"
       }
     },
-    "node_modules/path-to-regexp": {
-      "version": "8.3.0",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
-      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
-      "license": "MIT",
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/pathe": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
@@ -14574,18 +13210,6 @@
       ],
       "license": "MIT"
     },
-    "node_modules/quick-lru": {
-      "version": "7.3.0",
-      "resolved": "https://registry.npmjs.org/quick-lru/-/quick-lru-7.3.0.tgz",
-      "integrity": "sha512-k9lSsjl36EJdK7I06v7APZCbyGT2vMTsYSRX1Q2nbYmnkBqgUhRkAuzH08Ciotteu/PLJmIF2+tti7o3C/ts2g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/radix3": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/radix3/-/radix3-1.1.2.tgz",
@@ -14610,43 +13234,6 @@
         "node": ">= 0.6"
       }
     },
-    "node_modules/rate-limiter-flexible": {
-      "version": "9.1.1",
-      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-9.1.1.tgz",
-      "integrity": "sha512-imxFjzPCmvDLMe7d2tsgiSQvs5EI2fI9SNymmslAfOqznZhsZ+PqbIjIYKpuSbd3pKovR1aMG47qfCLIO/adVg==",
-      "license": "ISC"
-    },
-    "node_modules/raw-body": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
-      "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "~3.1.2",
-        "http-errors": "~2.0.1",
-        "iconv-lite": "~0.7.0",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.10"
-      }
-    },
-    "node_modules/raw-body/node_modules/iconv-lite": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
-      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
-      "license": "MIT",
-      "dependencies": {
-        "safer-buffer": ">= 2.1.2 < 3.0.0"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/rc9": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/rc9/-/rc9-3.0.0.tgz",
@@ -14823,15 +13410,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/require-from-string": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
-      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
     "node_modules/resend": {
       "version": "6.9.2",
       "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.2.tgz",
@@ -15084,18 +13662,6 @@
         "node": ">=11.0.0"
       }
     },
-    "node_modules/saxes": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
-      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
-      "license": "ISC",
-      "dependencies": {
-        "xmlchars": "^2.2.0"
-      },
-      "engines": {
-        "node": ">=v12.22.7"
-      }
-    },
     "node_modules/scslre": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/scslre/-/scslre-0.3.0.tgz",
@@ -15270,13 +13836,6 @@
       "integrity": "sha512-Rtlj66/b0ICeFzYTuNvX/EF1igRbbnGSvEyT79McoZa/DeGhMyC5pWKOEsZKnpkqtSeovd5FL/bjHWC3CIIvCQ==",
       "license": "MIT"
     },
-    "node_modules/siginfo": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
-      "integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
-      "dev": true,
-      "license": "ISC"
-    },
     "node_modules/signal-exit": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
@@ -15443,13 +14002,6 @@
         "node": ">=12.0.0"
       }
     },
-    "node_modules/stackback": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
-      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/standard-as-callback": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/standard-as-callback/-/standard-as-callback-2.1.0.tgz",
@@ -15724,12 +14276,6 @@
         "uuid": "^10.0.0"
       }
     },
-    "node_modules/symbol-tree": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
-      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
-      "license": "MIT"
-    },
     "node_modules/system-architecture": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/system-architecture/-/system-architecture-0.1.0.tgz",
@@ -15883,13 +14429,6 @@
       "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==",
       "license": "MIT"
     },
-    "node_modules/tinybench": {
-      "version": "2.9.0",
-      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
-      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/tinyexec": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
@@ -15915,34 +14454,6 @@
         "url": "https://github.com/sponsors/SuperchupuDev"
       }
     },
-    "node_modules/tinyrainbow": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
-      "integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
-    "node_modules/tldts": {
-      "version": "7.0.23",
-      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.23.tgz",
-      "integrity": "sha512-ASdhgQIBSay0R/eXggAkQ53G4nTJqTXqC2kbaBbdDwM7SkjyZyO0OaaN1/FH7U/yCeqOHDwFO5j8+Os/IS1dXw==",
-      "license": "MIT",
-      "dependencies": {
-        "tldts-core": "^7.0.23"
-      },
-      "bin": {
-        "tldts": "bin/cli.js"
-      }
-    },
-    "node_modules/tldts-core": {
-      "version": "7.0.23",
-      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.23.tgz",
-      "integrity": "sha512-0g9vrtDQLrNIiCj22HSe9d4mLVG3g5ph5DZ8zCKBr4OtrspmNB6ss7hVyzArAeE88ceZocIEGkyW1Ime7fxPtQ==",
-      "license": "MIT"
-    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -15989,18 +14500,6 @@
         "node": ">=6"
       }
     },
-    "node_modules/tough-cookie": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.0.tgz",
-      "integrity": "sha512-kXuRi1mtaKMrsLUxz3sQYvVl37B0Ns6MzfrtV5DvJceE9bPyspOqk9xxv7XbZWcfLWbFmm997vl83qUWVJA64w==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "tldts": "^7.0.5"
-      },
-      "engines": {
-        "node": ">=16"
-      }
-    },
     "node_modules/tr46": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.1.1.tgz",
@@ -16031,15 +14530,6 @@
       "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
       "license": "0BSD"
     },
-    "node_modules/tsscmp": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
-      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.6.x"
-      }
-    },
     "node_modules/type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -16067,45 +14557,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/type-is": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz",
-      "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==",
-      "license": "MIT",
-      "dependencies": {
-        "content-type": "^1.0.5",
-        "media-typer": "^1.1.0",
-        "mime-types": "^3.0.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/type-is/node_modules/mime-db": {
-      "version": "1.54.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
-      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/type-is/node_modules/mime-types": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
-      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "^1.54.0"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/type-level-regexp": {
       "version": "0.1.17",
       "resolved": "https://registry.npmjs.org/type-level-regexp/-/type-level-regexp-0.1.17.tgz",
@@ -16185,15 +14636,6 @@
         "node": ">=18.12.0"
       }
     },
-    "node_modules/undici": {
-      "version": "7.22.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
-      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=20.18.1"
-      }
-    },
     "node_modules/undici-types": {
       "version": "7.18.2",
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
@@ -16327,15 +14769,6 @@
         "url": "https://github.com/sponsors/sxzz"
       }
     },
-    "node_modules/unpipe": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
-      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/unplugin": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-3.0.0.tgz",
@@ -16811,15 +15244,6 @@
         "uuid": "dist/bin/uuid"
       }
     },
-    "node_modules/vary": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
-      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
     "node_modules/vaul-vue": {
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/vaul-vue/-/vaul-vue-0.4.1.tgz",
@@ -17287,101 +15711,6 @@
         "@types/estree": "^1.0.0"
       }
     },
-    "node_modules/vitest": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.18.tgz",
-      "integrity": "sha512-hOQuK7h0FGKgBAas7v0mSAsnvrIgAvWmRFjmzpJ7SwFHH3g1k2u37JtYwOwmEKhK6ZO3v9ggDBBm0La1LCK4uQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/expect": "4.0.18",
-        "@vitest/mocker": "4.0.18",
-        "@vitest/pretty-format": "4.0.18",
-        "@vitest/runner": "4.0.18",
-        "@vitest/snapshot": "4.0.18",
-        "@vitest/spy": "4.0.18",
-        "@vitest/utils": "4.0.18",
-        "es-module-lexer": "^1.7.0",
-        "expect-type": "^1.2.2",
-        "magic-string": "^0.30.21",
-        "obug": "^2.1.1",
-        "pathe": "^2.0.3",
-        "picomatch": "^4.0.3",
-        "std-env": "^3.10.0",
-        "tinybench": "^2.9.0",
-        "tinyexec": "^1.0.2",
-        "tinyglobby": "^0.2.15",
-        "tinyrainbow": "^3.0.3",
-        "vite": "^6.0.0 || ^7.0.0",
-        "why-is-node-running": "^2.3.0"
-      },
-      "bin": {
-        "vitest": "vitest.mjs"
-      },
-      "engines": {
-        "node": "^20.0.0 || ^22.0.0 || >=24.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      },
-      "peerDependencies": {
-        "@edge-runtime/vm": "*",
-        "@opentelemetry/api": "^1.9.0",
-        "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
-        "@vitest/browser-playwright": "4.0.18",
-        "@vitest/browser-preview": "4.0.18",
-        "@vitest/browser-webdriverio": "4.0.18",
-        "@vitest/ui": "4.0.18",
-        "happy-dom": "*",
-        "jsdom": "*"
-      },
-      "peerDependenciesMeta": {
-        "@edge-runtime/vm": {
-          "optional": true
-        },
-        "@opentelemetry/api": {
-          "optional": true
-        },
-        "@types/node": {
-          "optional": true
-        },
-        "@vitest/browser-playwright": {
-          "optional": true
-        },
-        "@vitest/browser-preview": {
-          "optional": true
-        },
-        "@vitest/browser-webdriverio": {
-          "optional": true
-        },
-        "@vitest/ui": {
-          "optional": true
-        },
-        "happy-dom": {
-          "optional": true
-        },
-        "jsdom": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/vitest-environment-nuxt": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/vitest-environment-nuxt/-/vitest-environment-nuxt-1.0.1.tgz",
-      "integrity": "sha512-eBCwtIQriXW5/M49FjqNKfnlJYlG2LWMSNFsRVKomc8CaMqmhQPBS5LZ9DlgYL9T8xIVsiA6RZn2lk7vxov3Ow==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@nuxt/test-utils": ">=3.13.1"
-      }
-    },
-    "node_modules/vitest/node_modules/es-module-lexer": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
-      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/vscode-uri": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
@@ -17486,27 +15815,6 @@
       "integrity": "sha512-dpojBhNsCNN7T82Tm7k26A6G9ML3NkhDsnw9n/eoxSRlVBB4CEtIQ/KTCLI2Fwf3ataSXRhYFkQi3SlnFwPvPQ==",
       "license": "MIT"
     },
-    "node_modules/w3c-xmlserializer": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
-      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
-      "license": "MIT",
-      "dependencies": {
-        "xml-name-validator": "^5.0.0"
-      },
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/w3c-xmlserializer/node_modules/xml-name-validator": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
-      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/webidl-conversions": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
@@ -17522,15 +15830,6 @@
       "integrity": "sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==",
       "license": "MIT"
     },
-    "node_modules/whatwg-mimetype": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
-      "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=20"
-      }
-    },
     "node_modules/whatwg-url": {
       "version": "14.2.0",
       "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.2.0.tgz",
@@ -17568,23 +15867,6 @@
         "node": ">= 8"
       }
     },
-    "node_modules/why-is-node-running": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
-      "integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "siginfo": "^2.0.0",
-        "stackback": "0.0.2"
-      },
-      "bin": {
-        "why-is-node-running": "cli.js"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/word-wrap": {
       "version": "1.2.5",
       "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
@@ -17674,12 +15956,6 @@
         "node": ">=12"
       }
     },
-    "node_modules/xmlchars": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
-      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
-      "license": "MIT"
-    },
     "node_modules/y-protocols": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/y-protocols/-/y-protocols-1.0.7.tgz",
diff --git a/package.json b/package.json
index 3661871..4d998b9 100644
--- a/package.json
+++ b/package.json
@@ -7,9 +7,7 @@
     "dev": "nuxt dev",
     "generate": "nuxt generate",
     "preview": "nuxt preview",
-    "postinstall": "nuxt prepare",
-    "test": "vitest",
-    "test:run": "vitest run"
+    "postinstall": "nuxt prepare"
   },
   "dependencies": {
     "@cloudinary/vue": "^1.13.3",
@@ -19,17 +17,15 @@
     "@nuxt/ui": "^4.0.0",
     "@nuxtjs/plausible": "^3.0.1",
     "@slack/web-api": "^7.10.0",
+    "bcryptjs": "^3.0.2",
     "chrono-node": "^2.8.4",
     "cloudinary": "^2.7.0",
     "eslint": "^9.34.0",
-    "isomorphic-dompurify": "^3.0.0",
     "jsonwebtoken": "^9.0.2",
     "marked": "^17.0.3",
     "mongoose": "^8.18.0",
     "nitro-cors": "^0.7.1",
     "nuxt": "^4.0.3",
-    "oidc-provider": "^9.6.1",
-    "rate-limiter-flexible": "^9.1.1",
     "resend": "^6.0.1",
     "typescript": "^5.9.2",
     "vue": "^3.5.20",
@@ -37,11 +33,6 @@
     "zod": "^4.1.3"
   },
   "devDependencies": {
-    "@nuxt/test-utils": "^4.0.0",
-    "@tailwindcss/typography": "^0.5.19",
-    "@types/jsonwebtoken": "^9.0.10",
-    "@types/oidc-provider": "^9.5.0",
-    "jsdom": "^28.1.0",
-    "vitest": "^4.0.18"
+    "@tailwindcss/typography": "^0.5.19"
   }
 }
diff --git a/server/api/admin/dashboard.get.js b/server/api/admin/dashboard.get.js
index 31786e1..5af6cec 100644
--- a/server/api/admin/dashboard.get.js
+++ b/server/api/admin/dashboard.get.js
@@ -1,13 +1,26 @@
 import Member from '../../models/member.js'
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
-    await connectDB()
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // Basic auth check
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
 
+    // const config = useRuntimeConfig()
+    // jwt.verify(token, config.jwtSecret)
+
+    await connectDB()
+    
     // Get stats
     const totalMembers = await Member.countDocuments()
     const now = new Date()
@@ -15,21 +28,21 @@ export default defineEventHandler(async (event) => {
       startDate: { $lte: now },
       endDate: { $gte: now }
     })
-
+    
     // Calculate monthly revenue from member contributions
     const members = await Member.find({}, 'contributionTier').lean()
     const monthlyRevenue = members.reduce((total, member) => {
       return total + parseInt(member.contributionTier || '0')
     }, 0)
-
+    
     const pendingSlackInvites = await Member.countDocuments({ slackInvited: false })
-
+    
     // Get recent members (last 5)
     const recentMembers = await Member.find()
       .sort({ createdAt: -1 })
       .limit(5)
       .lean()
-
+    
     // Get upcoming events (next 5)
     const upcomingEvents = await Event.find({
       startDate: { $gte: now }
@@ -37,7 +50,7 @@ export default defineEventHandler(async (event) => {
       .sort({ startDate: 1 })
       .limit(5)
       .lean()
-
+    
     return {
       stats: {
         totalMembers,
@@ -49,10 +62,9 @@ export default defineEventHandler(async (event) => {
       upcomingEvents
     }
   } catch (error) {
-    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch dashboard data'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/events.get.js b/server/api/admin/events.get.js
index b29f746..832b642 100644
--- a/server/api/admin/events.get.js
+++ b/server/api/admin/events.get.js
@@ -1,22 +1,34 @@
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
-    await connectDB()
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // Basic auth check - you may want to implement proper admin role checking
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
 
+    // const config = useRuntimeConfig()
+    // jwt.verify(token, config.jwtSecret)
+
+    await connectDB()
+    
     const events = await Event.find()
       .sort({ startDate: 1 })
       .lean()
 
     return events
   } catch (error) {
-    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch events'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/events.post.js b/server/api/admin/events.post.js
index 875499b..8ea3faa 100644
--- a/server/api/admin/events.post.js
+++ b/server/api/admin/events.post.js
@@ -1,20 +1,37 @@
 import Event from "../../models/event.js";
 import { connectDB } from "../../utils/mongoose.js";
-import { requireAdmin } from "../../utils/auth.js";
-import { validateBody } from "../../utils/validateBody.js";
-import { adminEventCreateSchema } from "../../utils/schemas.js";
+import jwt from "jsonwebtoken";
 
 export default defineEventHandler(async (event) => {
   try {
-    const admin = await requireAdmin(event);
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
 
-    const body = await validateBody(event, adminEventCreateSchema);
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
+
+    // const config = useRuntimeConfig()
+    // const decoded = jwt.verify(token, config.jwtSecret)
+
+    const body = await readBody(event);
+
+    // Validate required fields
+    if (!body.title || !body.description || !body.startDate || !body.endDate) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Missing required fields",
+      });
+    }
 
     await connectDB();
 
     const eventData = {
       ...body,
-      createdBy: admin.email,
+      createdBy: "admin@ghostguild.org", // TODO: Use actual authenticated user
       startDate: new Date(body.startDate),
       endDate: new Date(body.endDate),
       registrationDeadline: body.registrationDeadline
@@ -50,7 +67,6 @@ export default defineEventHandler(async (event) => {
 
     return savedEvent;
   } catch (error) {
-    if (error.statusCode) throw error;
     console.error("Error creating event:", error);
     throw createError({
       statusCode: 500,
diff --git a/server/api/admin/events/[id].delete.js b/server/api/admin/events/[id].delete.js
index f83686f..e283859 100644
--- a/server/api/admin/events/[id].delete.js
+++ b/server/api/admin/events/[id].delete.js
@@ -1,15 +1,26 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
+
+    // const config = useRuntimeConfig()
+    // const decoded = jwt.verify(token, config.jwtSecret)
 
     const eventId = getRouterParam(event, 'id')
 
     await connectDB()
-
+    
     const deletedEvent = await Event.findByIdAndDelete(eventId)
 
     if (!deletedEvent) {
@@ -18,14 +29,13 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Event not found'
       })
     }
-
+    
     return { success: true, message: 'Event deleted successfully' }
   } catch (error) {
-    if (error.statusCode) throw error
     console.error('Error deleting event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to delete event'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/events/[id].get.js b/server/api/admin/events/[id].get.js
index ae42859..cd1bf54 100644
--- a/server/api/admin/events/[id].get.js
+++ b/server/api/admin/events/[id].get.js
@@ -1,31 +1,47 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
+
+    // const config = useRuntimeConfig()
+    // const decoded = jwt.verify(token, config.jwtSecret)
 
     const eventId = getRouterParam(event, 'id')
+    console.log('🔍 API: Get event by ID called')
+    console.log('🔍 API: Event ID param:', eventId)
 
     await connectDB()
-
+    
     const eventData = await Event.findById(eventId)
+    console.log('🔍 API: Event data found:', eventData ? 'YES' : 'NO')
+    console.log('🔍 API: Event data preview:', eventData ? { id: eventData._id, title: eventData.title } : null)
 
     if (!eventData) {
+      console.log('❌ API: Event not found in database')
       throw createError({
         statusCode: 404,
         statusMessage: 'Event not found'
       })
     }
-
+    
+    console.log('✅ API: Returning event data')
     return { data: eventData }
   } catch (error) {
-    if (error.statusCode) throw error
-    console.error('Error fetching event:', error)
+    console.error('❌ API: Error fetching event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to fetch event'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/events/[id].put.js b/server/api/admin/events/[id].put.js
index 542b727..50ae589 100644
--- a/server/api/admin/events/[id].put.js
+++ b/server/api/admin/events/[id].put.js
@@ -1,14 +1,25 @@
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
+
+    // const config = useRuntimeConfig()
+    // const decoded = jwt.verify(token, config.jwtSecret)
 
     const eventId = getRouterParam(event, 'id')
     const body = await readBody(event)
-
+    
     // Validate required fields
     if (!body.title || !body.description || !body.startDate || !body.endDate) {
       throw createError({
@@ -18,7 +29,7 @@ export default defineEventHandler(async (event) => {
     }
 
     await connectDB()
-
+    
     const updateData = {
       ...body,
       startDate: new Date(body.startDate),
@@ -26,7 +37,7 @@ export default defineEventHandler(async (event) => {
       registrationDeadline: body.registrationDeadline ? new Date(body.registrationDeadline) : null,
       updatedAt: new Date()
     }
-
+    
     // Handle ticket data
     if (body.tickets) {
       updateData.tickets = {
@@ -56,14 +67,13 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Event not found'
       })
     }
-
+    
     return updatedEvent
   } catch (error) {
-    if (error.statusCode) throw error
     console.error('Error updating event:', error)
     throw createError({
       statusCode: 500,
       statusMessage: error.message || 'Failed to update event'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/members.get.js b/server/api/admin/members.get.js
index 3ababb7..3e8bccc 100644
--- a/server/api/admin/members.get.js
+++ b/server/api/admin/members.get.js
@@ -1,22 +1,34 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
-    await connectDB()
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // Basic auth check - you may want to implement proper admin role checking
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
 
+    // const config = useRuntimeConfig()
+    // jwt.verify(token, config.jwtSecret)
+
+    await connectDB()
+    
     const members = await Member.find()
       .sort({ createdAt: -1 })
       .lean()
 
     return members
   } catch (error) {
-    if (error.statusCode) throw error
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to fetch members'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/members.post.js b/server/api/admin/members.post.js
index 677a6cf..cb9f139 100644
--- a/server/api/admin/members.post.js
+++ b/server/api/admin/members.post.js
@@ -1,13 +1,24 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
+import jwt from 'jsonwebtoken'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
+    // TODO: Temporarily disabled auth for testing - enable when authentication is set up
+    // const token = getCookie(event, 'auth-token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    // if (!token) {
+    //   throw createError({
+    //     statusCode: 401,
+    //     statusMessage: 'Authentication required'
+    //   })
+    // }
+
+    // const config = useRuntimeConfig()
+    // jwt.verify(token, config.jwtSecret)
 
     const body = await readBody(event)
-
+    
     // Validate required fields
     if (!body.name || !body.email || !body.circle || !body.contributionTier) {
       throw createError({
@@ -17,7 +28,7 @@ export default defineEventHandler(async (event) => {
     }
 
     await connectDB()
-
+    
     // Check if member already exists
     const existingMember = await Member.findOne({ email: body.email })
     if (existingMember) {
@@ -36,14 +47,14 @@ export default defineEventHandler(async (event) => {
     })
 
     const savedMember = await newMember.save()
-
+    
     return savedMember
   } catch (error) {
     if (error.statusCode) throw error
-
+    
     throw createError({
       statusCode: 500,
       statusMessage: 'Failed to create member'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/admin/series.get.js b/server/api/admin/series.get.js
index f7d7991..e54ac4d 100644
--- a/server/api/admin/series.get.js
+++ b/server/api/admin/series.get.js
@@ -1,11 +1,9 @@
 import Series from "../../models/series.js";
 import Event from "../../models/event.js";
 import { connectDB } from "../../utils/mongoose.js";
-import { requireAdmin } from "../../utils/auth.js";
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event);
     await connectDB();
 
     // Fetch all series
diff --git a/server/api/admin/series.post.js b/server/api/admin/series.post.js
index d61af01..2041e23 100644
--- a/server/api/admin/series.post.js
+++ b/server/api/admin/series.post.js
@@ -1,14 +1,12 @@
 import Series from '../../models/series.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    const admin = await requireAdmin(event)
     await connectDB()
-
+    
     const body = await readBody(event)
-
+    
     // Validate required fields
     if (!body.id || !body.title || !body.description) {
       throw createError({
@@ -16,7 +14,7 @@ export default defineEventHandler(async (event) => {
         statusMessage: 'Series ID, title, and description are required'
       })
     }
-
+    
     // Create new series
     const newSeries = new Series({
       id: body.id,
@@ -24,7 +22,7 @@ export default defineEventHandler(async (event) => {
       description: body.description,
       type: body.type || 'workshop_series',
       totalEvents: body.totalEvents || null,
-      createdBy: admin.email
+      createdBy: 'admin' // TODO: Get from authentication
     })
     
     await newSeries.save()
diff --git a/server/api/admin/series.put.js b/server/api/admin/series.put.js
index 88a9ba3..2af40b8 100644
--- a/server/api/admin/series.put.js
+++ b/server/api/admin/series.put.js
@@ -1,11 +1,9 @@
 import Series from '../../models/series.js'
 import Event from '../../models/event.js'
 import { connectDB } from '../../utils/mongoose.js'
-import { requireAdmin } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
     await connectDB()
 
     const body = await readBody(event)
diff --git a/server/api/admin/series/[id].delete.js b/server/api/admin/series/[id].delete.js
index dfcef54..cc80202 100644
--- a/server/api/admin/series/[id].delete.js
+++ b/server/api/admin/series/[id].delete.js
@@ -1,11 +1,9 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
     await connectDB()
     
     const id = getRouterParam(event, 'id')
diff --git a/server/api/admin/series/[id].put.js b/server/api/admin/series/[id].put.js
index a303754..0143938 100644
--- a/server/api/admin/series/[id].put.js
+++ b/server/api/admin/series/[id].put.js
@@ -1,11 +1,9 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
     await connectDB()
     
     const id = getRouterParam(event, 'id')
diff --git a/server/api/admin/series/tickets.put.js b/server/api/admin/series/tickets.put.js
index 50ed385..c087685 100644
--- a/server/api/admin/series/tickets.put.js
+++ b/server/api/admin/series/tickets.put.js
@@ -1,11 +1,9 @@
 import Series from '../../../models/series.js'
 import Event from '../../../models/event.js'
 import { connectDB } from '../../../utils/mongoose.js'
-import { requireAdmin } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAdmin(event)
     await connectDB()
 
     const body = await readBody(event)
diff --git a/server/api/auth/login.post.js b/server/api/auth/login.post.js
index b60986f..afc9fc1 100644
--- a/server/api/auth/login.post.js
+++ b/server/api/auth/login.post.js
@@ -3,8 +3,6 @@ import jwt from "jsonwebtoken";
 import { Resend } from "resend";
 import Member from "../../models/member.js";
 import { connectDB } from "../../utils/mongoose.js";
-import { validateBody } from "../../utils/validateBody.js";
-import { emailSchema } from "../../utils/schemas.js";
 
 const resend = new Resend(process.env.RESEND_API_KEY);
 
@@ -12,26 +10,28 @@ export default defineEventHandler(async (event) => {
   // Connect to database
   await connectDB();
 
-  const { email } = await validateBody(event, emailSchema);
+  const { email } = await readBody(event);
 
-  const GENERIC_MESSAGE = "If this email is registered, we've sent a login link.";
-
-  const member = await Member.findOne({ email });
-
-  if (!member) {
-    // Return same response shape to prevent enumeration
-    return {
-      success: true,
-      message: GENERIC_MESSAGE,
-    };
+  if (!email) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Email is required",
+    });
   }
 
-  // Generate magic link token (use runtime config for consistency with verify/requireAuth)
-  const config = useRuntimeConfig(event);
+  const member = await Member.findOne({ email });
+  if (!member) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: "No account found with that email address",
+    });
+  }
+
+  // Generate magic link token
   const token = jwt.sign(
     { memberId: member._id },
-    config.jwtSecret,
-    { expiresIn: "15m" },
+    process.env.JWT_SECRET,
+    { expiresIn: "15m" }, // Shorter expiry for security
   );
 
   // Get the base URL for the magic link
@@ -65,7 +65,7 @@ export default defineEventHandler(async (event) => {
 
     return {
       success: true,
-      message: GENERIC_MESSAGE,
+      message: "Login link sent to your email",
     };
   } catch (error) {
     console.error("Failed to send email:", error);
diff --git a/server/api/auth/logout.post.js b/server/api/auth/logout.post.js
index 077d38a..56c7fdf 100644
--- a/server/api/auth/logout.post.js
+++ b/server/api/auth/logout.post.js
@@ -1,8 +1,8 @@
 export default defineEventHandler(async (event) => {
-  // Clear the auth token cookie (flags must match login for proper clearing)
+  // Clear the auth token cookie
   setCookie(event, 'auth-token', '', {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
+    httpOnly: false, // Match the original cookie settings
+    secure: false, // Don't require HTTPS in development
     sameSite: 'lax',
     maxAge: 0 // Expire immediately
   })
diff --git a/server/api/auth/member.get.js b/server/api/auth/member.get.js
index 146d13e..d5e2a91 100644
--- a/server/api/auth/member.get.js
+++ b/server/api/auth/member.get.js
@@ -1,30 +1,60 @@
-import { requireAuth } from "../../utils/auth.js";
+import jwt from "jsonwebtoken";
+import Member from "../../models/member.js";
+import { connectDB } from "../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
-  const member = await requireAuth(event);
+  await connectDB();
 
-  return {
-    _id: member._id,
-    id: member._id,
-    email: member.email,
-    name: member.name,
-    role: member.role || 'member',
-    circle: member.circle,
-    contributionTier: member.contributionTier,
-    membershipLevel: `${member.circle}-${member.contributionTier}`,
-    // Profile fields
-    pronouns: member.pronouns,
-    timeZone: member.timeZone,
-    avatar: member.avatar,
-    studio: member.studio,
-    bio: member.bio,
-    location: member.location,
-    socialLinks: member.socialLinks,
-    offering: member.offering,
-    lookingFor: member.lookingFor,
-    showInDirectory: member.showInDirectory,
-    privacy: member.privacy,
-    // Peer support
-    peerSupport: member.peerSupport,
-  };
+  const token = getCookie(event, "auth-token");
+  console.log("Auth check - token found:", !!token);
+
+  if (!token) {
+    console.log("No auth token found in cookies");
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Not authenticated",
+    });
+  }
+
+  try {
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    const member = await Member.findById(decoded.memberId).select("-__v");
+
+    if (!member) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: "Member not found",
+      });
+    }
+
+    return {
+      _id: member._id,
+      id: member._id,
+      email: member.email,
+      name: member.name,
+      circle: member.circle,
+      contributionTier: member.contributionTier,
+      membershipLevel: `${member.circle}-${member.contributionTier}`,
+      // Profile fields
+      pronouns: member.pronouns,
+      timeZone: member.timeZone,
+      avatar: member.avatar,
+      studio: member.studio,
+      bio: member.bio,
+      location: member.location,
+      socialLinks: member.socialLinks,
+      offering: member.offering,
+      lookingFor: member.lookingFor,
+      showInDirectory: member.showInDirectory,
+      privacy: member.privacy,
+      // Peer support
+      peerSupport: member.peerSupport,
+    };
+  } catch (err) {
+    console.error("Token verification error:", err);
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or expired token",
+    });
+  }
 });
diff --git a/server/api/auth/refresh.post.js b/server/api/auth/refresh.post.js
deleted file mode 100644
index 482fef9..0000000
--- a/server/api/auth/refresh.post.js
+++ /dev/null
@@ -1,58 +0,0 @@
-import jwt from 'jsonwebtoken'
-import Member from '../../models/member.js'
-import { connectDB } from '../../utils/mongoose.js'
-
-export default defineEventHandler(async (event) => {
-  await connectDB()
-
-  const token = getCookie(event, 'auth-token')
-
-  if (!token) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Not authenticated'
-    })
-  }
-
-  let decoded
-  try {
-    decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
-  } catch (err) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Invalid or expired token'
-    })
-  }
-
-  const member = await Member.findById(decoded.memberId)
-
-  if (!member) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Member not found'
-    })
-  }
-
-  if (member.status === 'suspended' || member.status === 'cancelled') {
-    throw createError({
-      statusCode: 403,
-      statusMessage: 'Account is ' + member.status
-    })
-  }
-
-  // Issue a fresh token
-  const newToken = jwt.sign(
-    { memberId: member._id, email: member.email },
-    useRuntimeConfig().jwtSecret,
-    { expiresIn: '7d' }
-  )
-
-  setCookie(event, 'auth-token', newToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    maxAge: 60 * 60 * 24 * 7 // 7 days
-  })
-
-  return { success: true }
-})
diff --git a/server/api/auth/status.get.js b/server/api/auth/status.get.js
index ec47164..9a7d2da 100644
--- a/server/api/auth/status.get.js
+++ b/server/api/auth/status.get.js
@@ -6,22 +6,22 @@ export default defineEventHandler(async (event) => {
   await connectDB()
   
   const token = getCookie(event, 'auth-token')
+  console.log('🔍 Auth status check - token exists:', !!token)
+  
   if (!token) {
     return { authenticated: false, member: null }
   }
   
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+    const decoded = jwt.verify(token, process.env.JWT_SECRET)
     const member = await Member.findById(decoded.memberId).select('-__v')
     
     if (!member) {
+      console.log('⚠️ Token valid but member not found')
       return { authenticated: false, member: null }
     }
-
-    if (member.status === 'suspended' || member.status === 'cancelled') {
-      return { authenticated: false, member: null, reason: 'account_' + member.status }
-    }
-
+    
+    console.log('✅ Auth status check - member found:', member.email)
     return { 
       authenticated: true, 
       member: {
@@ -34,6 +34,7 @@ export default defineEventHandler(async (event) => {
       }
     }
   } catch (err) {
+    console.error('❌ Auth status check - token verification failed:', err.message)
     return { authenticated: false, member: null }
   }
 })
\ No newline at end of file
diff --git a/server/api/auth/verify.get.js b/server/api/auth/verify.get.js
index d5f4c1f..31a66f2 100644
--- a/server/api/auth/verify.get.js
+++ b/server/api/auth/verify.get.js
@@ -18,9 +18,8 @@ export default defineEventHandler(async (event) => {
   }
   
   try {
-    // Verify the JWT token (use runtime config for consistency with login/requireAuth)
-    const config = useRuntimeConfig(event)
-    const decoded = jwt.verify(token, config.jwtSecret)
+    // Verify the JWT token
+    const decoded = jwt.verify(token, process.env.JWT_SECRET)
     const member = await Member.findById(decoded.memberId)
     
     if (!member) {
@@ -33,22 +32,23 @@ export default defineEventHandler(async (event) => {
     // Create a new session token for the authenticated user
     const sessionToken = jwt.sign(
       { memberId: member._id, email: member.email },
-      config.jwtSecret,
-      { expiresIn: '7d' }
+      process.env.JWT_SECRET,
+      { expiresIn: '30d' }
     )
-
+    
     // Set the session cookie
     setCookie(event, 'auth-token', sessionToken, {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      httpOnly: false, // Allow JavaScript access for debugging in development
+      secure: false, // Don't require HTTPS in development
       sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7 // 7 days
+      maxAge: 60 * 60 * 24 * 30 // 30 days
     })
     
     // Redirect to the members dashboard or home page
     await sendRedirect(event, '/members', 302)
     
   } catch (err) {
+    console.error('Token verification error:', err)
     throw createError({ 
       statusCode: 401, 
       statusMessage: 'Invalid or expired token' 
diff --git a/server/api/events/[id]/register.post.js b/server/api/events/[id]/register.post.js
index ce2bbcb..7dfc1f0 100644
--- a/server/api/events/[id]/register.post.js
+++ b/server/api/events/[id]/register.post.js
@@ -2,8 +2,6 @@ import Event from "../../../models/event.js";
 import Member from "../../../models/member.js";
 import { connectDB } from "../../../utils/mongoose.js";
 import { sendEventRegistrationEmail } from "../../../utils/resend.js";
-import { validateBody } from "../../../utils/validateBody.js";
-import { eventRegistrationSchema } from "../../../utils/schemas.js";
 import mongoose from "mongoose";
 
 export default defineEventHandler(async (event) => {
@@ -11,7 +9,7 @@ export default defineEventHandler(async (event) => {
     // Ensure database connection
     await connectDB();
     const identifier = getRouterParam(event, "id");
-    const body = await validateBody(event, eventRegistrationSchema);
+    const body = await readBody(event);
 
     if (!identifier) {
       throw createError({
@@ -20,6 +18,14 @@ export default defineEventHandler(async (event) => {
       });
     }
 
+    // Validate required fields
+    if (!body.name || !body.email) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Name and email are required",
+      });
+    }
+
     // Fetch the event - try by slug first, then by ID
     let eventData;
 
diff --git a/server/api/events/[id]/tickets/purchase.post.js b/server/api/events/[id]/tickets/purchase.post.js
index 43588fc..197684c 100644
--- a/server/api/events/[id]/tickets/purchase.post.js
+++ b/server/api/events/[id]/tickets/purchase.post.js
@@ -92,6 +92,7 @@ export default defineEventHandler(async (event) => {
       // Optional: Verify the transaction with Helcim API
       // This adds extra security to ensure the transaction is legitimate
       // For now, we trust the transaction ID from HelcimPay.js
+      console.log("Payment completed with transaction ID:", transactionId);
     }
 
     // Create registration
diff --git a/server/api/helcim/create-plan.post.js b/server/api/helcim/create-plan.post.js
index 9b9c1a4..32e3672 100644
--- a/server/api/helcim/create-plan.post.js
+++ b/server/api/helcim/create-plan.post.js
@@ -16,6 +16,7 @@ export default defineEventHandler(async (event) => {
 
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
 
+    console.log('Creating payment plan:', body.name)
 
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
       method: 'POST',
@@ -43,6 +44,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const planData = await response.json()
+    console.log('Payment plan created:', planData)
 
     return {
       success: true,
diff --git a/server/api/helcim/customer-code.get.js b/server/api/helcim/customer-code.get.js
index 90e21af..7ee0be0 100644
--- a/server/api/helcim/customer-code.get.js
+++ b/server/api/helcim/customer-code.get.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded
     try {
-      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+      decoded = jwt.verify(token, process.env.JWT_SECRET)
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/helcim/customer.post.js b/server/api/helcim/customer.post.js
index 42d266d..782a0da 100644
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@@ -38,6 +38,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    // Debug: Log token (first few chars only)
+    console.log('Using Helcim token:', helcimToken.substring(0, 10) + '...')
     
     // Test the connection first with native fetch
     try {
@@ -53,7 +55,8 @@ export default defineEventHandler(async (event) => {
         throw new Error(`HTTP ${testResponse.status}: ${testResponse.statusText}`)
       }
       
-      await testResponse.json()
+      const testData = await testResponse.json()
+      console.log('Connection test passed:', testData)
     } catch (testError) {
       console.error('Connection test failed:', testError)
       throw createError({
@@ -105,19 +108,23 @@ export default defineEventHandler(async (event) => {
         email: body.email,
         helcimCustomerId: customerData.id 
       },
-      config.jwtSecret,
-      { expiresIn: '7d' }
+      process.env.JWT_SECRET,
+      { expiresIn: '24h' }
     )
 
     // Set the session cookie server-side
+    console.log('Setting auth-token cookie for member:', member.email)
+    console.log('NODE_ENV:', process.env.NODE_ENV)
     setCookie(event, 'auth-token', token, {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      httpOnly: true, // Server-only for security
+      secure: false, // Don't require HTTPS in development
       sameSite: 'lax',
-      maxAge: 60 * 60 * 24 * 7, // 7 days (matches verify.get.js and refresh.post.js)
+      maxAge: 60 * 60 * 24, // 24 hours
       path: '/',
       domain: undefined // Let browser set domain automatically
     })
+    console.log('Cookie set successfully')
+
     return {
       success: true,
       customerId: customerData.id,
diff --git a/server/api/helcim/get-or-create-customer.post.js b/server/api/helcim/get-or-create-customer.post.js
index f294a32..c842913 100644
--- a/server/api/helcim/get-or-create-customer.post.js
+++ b/server/api/helcim/get-or-create-customer.post.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded
     try {
-      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
+      decoded = jwt.verify(token, process.env.JWT_SECRET)
     } catch (err) {
       throw createError({
         statusCode: 401,
@@ -59,6 +59,7 @@ export default defineEventHandler(async (event) => {
           const existingCustomer = searchData.customers.find(c => c.email === member.email)
 
           if (existingCustomer) {
+            console.log('Found existing Helcim customer:', existingCustomer.id)
 
             // Update member record with customer ID if not already set
             if (!member.helcimCustomerId) {
@@ -76,11 +77,12 @@ export default defineEventHandler(async (event) => {
         }
       }
     } catch (searchError) {
-      console.error('Error searching for customer:', searchError)
+      console.log('Error searching for customer:', searchError)
       // Continue to create new customer
     }
 
     // No existing customer found, create new one
+    console.log('Creating new Helcim customer for:', member.email)
     const createResponse = await fetch(`${HELCIM_API_BASE}/customers`, {
       method: 'POST',
       headers: {
@@ -105,6 +107,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const customerData = await createResponse.json()
+    console.log('Created Helcim customer:', customerData.id)
 
     // Update member record with customer ID
     member.helcimCustomerId = customerData.id
diff --git a/server/api/helcim/initialize-payment.post.js b/server/api/helcim/initialize-payment.post.js
index 3888bf9..3987225 100644
--- a/server/api/helcim/initialize-payment.post.js
+++ b/server/api/helcim/initialize-payment.post.js
@@ -1,14 +1,13 @@
 // Initialize HelcimPay.js session
-import { requireAuth } from "../../utils/auth.js";
-
 const HELCIM_API_BASE = "https://api.helcim.com/v2";
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event);
     const config = useRuntimeConfig(event);
     const body = await readBody(event);
 
+    // Debug log the request body
+    console.log("Initialize payment request body:", body);
 
     const helcimToken =
       config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
@@ -44,6 +43,8 @@ export default defineEventHandler(async (event) => {
       requestBody.orderNumber = `${body.metadata.eventId}`;
     }
 
+    console.log("Helcim request body:", JSON.stringify(requestBody, null, 2));
+
     // Initialize HelcimPay.js session
     const response = await fetch(`${HELCIM_API_BASE}/helcim-pay/initialize`, {
       method: "POST",
diff --git a/server/api/helcim/plans.get.js b/server/api/helcim/plans.get.js
index 6b71c92..e4da1ce 100644
--- a/server/api/helcim/plans.get.js
+++ b/server/api/helcim/plans.get.js
@@ -6,6 +6,8 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
+    console.log('Fetching payment plans from Helcim...')
+    
     const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
       method: 'GET',
       headers: {
@@ -16,13 +18,17 @@ export default defineEventHandler(async (event) => {
     
     if (!response.ok) {
       console.error('Failed to fetch payment plans:', response.status, response.statusText)
+      const errorText = await response.text()
+      console.error('Response body:', errorText)
+      
       throw createError({
         statusCode: response.status,
-        statusMessage: 'Failed to fetch payment plans'
+        statusMessage: `Failed to fetch payment plans: ${errorText}`
       })
     }
     
     const plansData = await response.json()
+    console.log('Payment plans retrieved:', JSON.stringify(plansData, null, 2))
     
     return {
       success: true,
diff --git a/server/api/helcim/subscription.post.js b/server/api/helcim/subscription.post.js
index dafacc3..08cf6fa 100644
--- a/server/api/helcim/subscription.post.js
+++ b/server/api/helcim/subscription.post.js
@@ -3,7 +3,6 @@ import { getHelcimPlanId, requiresPayment } from '../../config/contributions.js'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
-import { requireAuth } from '../../utils/auth.js'
 
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
@@ -73,7 +72,6 @@ async function inviteToSlack(member) {
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event)
     await connectDB()
     const config = useRuntimeConfig(event)
     const body = await readBody(event)
@@ -93,8 +91,11 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    console.log('Subscription request body:', body)
+    
     // Check if payment is required
     if (!requiresPayment(body.contributionTier)) {
+      console.log('No payment required for tier:', body.contributionTier)
       // For free tier, just update member status
       const member = await Member.findOneAndUpdate(
         { helcimCustomerId: body.customerId },
@@ -106,6 +107,8 @@ export default defineEventHandler(async (event) => {
         { new: true }
       )
       
+      console.log('Updated member for free tier:', member)
+      
       // Send Slack invitation for free tier members
       await inviteToSlack(member)
       
@@ -116,8 +119,11 @@ export default defineEventHandler(async (event) => {
       }
     }
 
+    console.log('Payment required for tier:', body.contributionTier)
+
     // Get the Helcim plan ID
     const planId = getHelcimPlanId(body.contributionTier)
+    console.log('Plan ID for tier:', planId)
     
     // Validate card token is provided
     if (!body.cardToken) {
@@ -129,6 +135,8 @@ export default defineEventHandler(async (event) => {
 
     // Check if we have a configured plan for this tier
     if (!planId) {
+      console.log('No Helcim plan configured for tier:', body.contributionTier)
+      
       const member = await Member.findOneAndUpdate(
         { helcimCustomerId: body.customerId },
         { 
@@ -160,6 +168,8 @@ export default defineEventHandler(async (event) => {
     // Try to create subscription in Helcim
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
+    console.log('Attempting to create Helcim subscription with plan ID:', planId)
+    
     // Generate a proper alphanumeric idempotency key (exactly 25 characters)
     const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
     let idempotencyKey = ''
@@ -187,6 +197,10 @@ export default defineEventHandler(async (event) => {
       'idempotency-key': idempotencyKey
     }
     
+    console.log('Subscription request body:', requestBody)
+    console.log('Request headers:', requestHeaders)
+    console.log('Request URL:', `${HELCIM_API_BASE}/subscriptions`)
+    
     try {
       const subscriptionResponse = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
         method: 'POST',
@@ -196,11 +210,47 @@ export default defineEventHandler(async (event) => {
       
       if (!subscriptionResponse.ok) {
         const errorText = await subscriptionResponse.text()
-        console.error('Subscription creation failed:', subscriptionResponse.status)
+        console.error('Subscription creation failed:')
+        console.error('Status:', subscriptionResponse.status)
+        console.error('Status Text:', subscriptionResponse.statusText)
+        console.error('Headers:', Object.fromEntries(subscriptionResponse.headers.entries()))
+        console.error('Response Body:', errorText)
+        console.error('Request was:', {
+          url: `${HELCIM_API_BASE}/subscriptions`,
+          method: 'POST',
+          body: requestBody,
+          headers: {
+            'accept': 'application/json',
+            'content-type': 'application/json',
+            'api-token': helcimToken ? 'present' : 'missing'
+          }
+        })
         
         // If it's a validation error, let's try to get more info about available plans
         if (subscriptionResponse.status === 400 || subscriptionResponse.status === 404) {
-          // Plan might not exist -- update member status and proceed
+          console.log('Plan might not exist. Trying to get list of available payment plans...')
+          
+          // Try to fetch available payment plans
+          try {
+            const plansResponse = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
+              method: 'GET',
+              headers: {
+                'accept': 'application/json',
+                'api-token': helcimToken
+              }
+            })
+            
+            if (plansResponse.ok) {
+              const plansData = await plansResponse.json()
+              console.log('Available payment plans:', JSON.stringify(plansData, null, 2))
+            } else {
+              console.log('Could not fetch payment plans:', plansResponse.status, plansResponse.statusText)
+            }
+          } catch (planError) {
+            console.log('Error fetching payment plans:', planError.message)
+          }
+          
+          // For now, just update member status and let user know we need to configure plans
           const member = await Member.findOneAndUpdate(
             { helcimCustomerId: body.customerId },
             { 
@@ -237,6 +287,7 @@ export default defineEventHandler(async (event) => {
       }
       
       const subscriptionData = await subscriptionResponse.json()
+      console.log('Subscription created successfully:', subscriptionData)
 
       // Extract the first subscription from the response array
       const subscription = subscriptionData.data?.[0]
diff --git a/server/api/helcim/subscriptions.get.js b/server/api/helcim/subscriptions.get.js
index 111e33d..f103ed3 100644
--- a/server/api/helcim/subscriptions.get.js
+++ b/server/api/helcim/subscriptions.get.js
@@ -6,6 +6,8 @@ export default defineEventHandler(async (event) => {
     const config = useRuntimeConfig(event)
     const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
     
+    console.log('Fetching existing subscriptions from Helcim...')
+    
     const response = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
       method: 'GET',
       headers: {
@@ -16,13 +18,17 @@ export default defineEventHandler(async (event) => {
     
     if (!response.ok) {
       console.error('Failed to fetch subscriptions:', response.status, response.statusText)
+      const errorText = await response.text()
+      console.error('Response body:', errorText)
+      
       throw createError({
         statusCode: response.status,
-        statusMessage: 'Failed to fetch subscriptions'
+        statusMessage: `Failed to fetch subscriptions: ${errorText}`
       })
     }
     
     const subscriptionsData = await response.json()
+    console.log('Existing subscriptions:', JSON.stringify(subscriptionsData, null, 2))
     
     return {
       success: true,
diff --git a/server/api/helcim/test-connection.get.js b/server/api/helcim/test-connection.get.js
new file mode 100644
index 0000000..c4ad093
--- /dev/null
+++ b/server/api/helcim/test-connection.get.js
@@ -0,0 +1,46 @@
+// Test Helcim API connection
+const HELCIM_API_BASE = 'https://api.helcim.com/v2'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const config = useRuntimeConfig(event)
+    
+    // Log token info (safely)
+    const tokenInfo = {
+      hasToken: !!config.public.helcimToken,
+      tokenLength: config.public.helcimToken ? config.public.helcimToken.length : 0,
+      tokenPrefix: config.public.helcimToken ? config.public.helcimToken.substring(0, 10) : null
+    }
+    
+    console.log('Helcim Token Info:', tokenInfo)
+    
+    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    
+    // Try connection test endpoint
+    const response = await $fetch(`${HELCIM_API_BASE}/connection-test`, {
+      method: 'GET',
+      headers: {
+        'accept': 'application/json',
+        'api-token': helcimToken
+      }
+    })
+    
+    return {
+      success: true,
+      message: 'Helcim API connection successful',
+      tokenInfo,
+      connectionResponse: response
+    }
+  } catch (error) {
+    console.error('Helcim test error:', error)
+    return {
+      success: false,
+      message: error.message || 'Failed to connect to Helcim API',
+      statusCode: error.statusCode,
+      tokenInfo: {
+        hasToken: !!useRuntimeConfig().public.helcimToken,
+        tokenLength: useRuntimeConfig().public.helcimToken ? useRuntimeConfig().public.helcimToken.length : 0
+      }
+    }
+  }
+})
\ No newline at end of file
diff --git a/server/api/helcim/test-subscription.get.js b/server/api/helcim/test-subscription.get.js
new file mode 100644
index 0000000..ff8b5e6
--- /dev/null
+++ b/server/api/helcim/test-subscription.get.js
@@ -0,0 +1,77 @@
+// Test minimal subscription creation to understand required fields
+const HELCIM_API_BASE = 'https://api.helcim.com/v2'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const config = useRuntimeConfig(event)
+    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    
+    // Generate a 25-character idempotency key
+    const idempotencyKey = `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`.substring(0, 25)
+    
+    // Test with minimal fields first
+    const testRequest1 = {
+      customerCode: 'CST1020', // Use a recent customer code
+      planId: 20162
+    }
+    
+    console.log('Testing subscription with minimal fields:', testRequest1)
+    
+    try {
+      const response1 = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
+        method: 'POST',
+        headers: {
+          'accept': 'application/json',
+          'content-type': 'application/json',
+          'api-token': helcimToken,
+          'idempotency-key': idempotencyKey + 'a'
+        },
+        body: JSON.stringify(testRequest1)
+      })
+      
+      const result1 = await response1.text()
+      console.log('Test 1 - Status:', response1.status)
+      console.log('Test 1 - Response:', result1)
+      
+      if (!response1.ok) {
+        // Try with paymentPlanId instead
+        const testRequest2 = {
+          customerCode: 'CST1020',
+          paymentPlanId: 20162
+        }
+        
+        console.log('Testing subscription with paymentPlanId:', testRequest2)
+        
+        const response2 = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
+          method: 'POST',
+          headers: {
+            'accept': 'application/json',
+            'content-type': 'application/json',
+            'api-token': helcimToken,
+            'idempotency-key': idempotencyKey + 'b'
+          },
+          body: JSON.stringify(testRequest2)
+        })
+        
+        const result2 = await response2.text()
+        console.log('Test 2 - Status:', response2.status)
+        console.log('Test 2 - Response:', result2)
+      }
+      
+    } catch (error) {
+      console.error('Test error:', error)
+    }
+    
+    return {
+      success: true,
+      message: 'Check server logs for test results'
+    }
+    
+  } catch (error) {
+    console.error('Error in test endpoint:', error)
+    throw createError({
+      statusCode: 500,
+      statusMessage: error.message
+    })
+  }
+})
\ No newline at end of file
diff --git a/server/api/helcim/update-billing.post.js b/server/api/helcim/update-billing.post.js
index e1199b6..0c1a367 100644
--- a/server/api/helcim/update-billing.post.js
+++ b/server/api/helcim/update-billing.post.js
@@ -1,11 +1,8 @@
 // Update customer billing address
-import { requireAuth } from '../../utils/auth.js'
-
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event)
     const config = useRuntimeConfig(event)
     const body = await readBody(event)
     
diff --git a/server/api/helcim/verify-payment.post.js b/server/api/helcim/verify-payment.post.js
index 16fc074..d975ee4 100644
--- a/server/api/helcim/verify-payment.post.js
+++ b/server/api/helcim/verify-payment.post.js
@@ -1,67 +1,38 @@
 // Verify payment token from HelcimPay.js
-import { requireAuth } from '../../utils/auth.js'
-import { validateBody } from '../../utils/validateBody.js'
-import { paymentVerifySchema } from '../../utils/schemas.js'
-
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event)
     const config = useRuntimeConfig(event)
-    const body = await validateBody(event, paymentVerifySchema)
-
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
-
-    if (!helcimToken) {
-      throw createError({
-        statusCode: 500,
-        statusMessage: 'Helcim API token not configured'
-      })
-    }
-
-    // Verify the card token by fetching the customer's cards from Helcim
-    const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}/cards`, {
-      method: 'GET',
-      headers: {
-        'accept': 'application/json',
-        'api-token': helcimToken
-      }
-    })
-
-    if (!response.ok) {
-      const errorText = await response.text()
-      console.error('Payment verification failed:', response.status, errorText)
-      throw createError({
-        statusCode: 502,
-        statusMessage: 'Payment verification failed with Helcim'
-      })
-    }
-
-    const cards = await response.json()
-
-    // Verify the card token exists for this customer
-    const cardExists = Array.isArray(cards) && cards.some(card =>
-      card.cardToken === body.cardToken
-    )
-
-    if (!cardExists) {
+    const body = await readBody(event)
+    
+    // Validate required fields
+    if (!body.cardToken || !body.customerId) {
       throw createError({
         statusCode: 400,
-        statusMessage: 'Payment method not found or does not belong to this customer'
+        statusMessage: 'Card token and customer ID are required'
       })
     }
 
+    console.log('Payment verification request:', {
+      customerId: body.customerId,
+      cardToken: body.cardToken ? 'present' : 'missing'
+    })
+
+    // Since HelcimPay.js already verified the payment and we have the card token,
+    // we can just return success. The card is already associated with the customer.
+    console.log('Payment already verified through HelcimPay.js, returning success')
+    
     return {
       success: true,
       cardToken: body.cardToken,
-      message: 'Payment verified with Helcim'
+      message: 'Payment verified successfully through HelcimPay.js'
     }
   } catch (error) {
     console.error('Error verifying payment:', error)
     throw createError({
       statusCode: error.statusCode || 500,
-      statusMessage: error.statusMessage || 'Failed to verify payment'
+      statusMessage: error.message || 'Failed to verify payment'
     })
   }
-})
+})
\ No newline at end of file
diff --git a/server/api/members/cancel-subscription.post.js b/server/api/members/cancel-subscription.post.js
index 34e82cb..955bf59 100644
--- a/server/api/members/cancel-subscription.post.js
+++ b/server/api/members/cancel-subscription.post.js
@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded;
     try {
-      decoded = jwt.verify(token, config.jwtSecret);
+      decoded = jwt.verify(token, process.env.JWT_SECRET);
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/members/create.post.js b/server/api/members/create.post.js
index b9ae293..1ed831c 100644
--- a/server/api/members/create.post.js
+++ b/server/api/members/create.post.js
@@ -2,8 +2,6 @@
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
-import { validateBody } from '../../utils/validateBody.js'
-import { memberCreateSchema } from '../../utils/schemas.js'
 // Simple payment check function to avoid import issues
 const requiresPayment = (contributionValue) => contributionValue !== '0'
 
@@ -16,7 +14,7 @@ async function inviteToSlack(member) {
       return
     }
 
-    console.warn(`Processing Slack invitation for member`)
+    console.log(`Processing Slack invitation for ${member.email}...`)
     
     const inviteResult = await slackService.inviteUserToSlack(
       member.email,
@@ -47,13 +45,13 @@ async function inviteToSlack(member) {
         inviteResult.status
       )
       
-      console.warn(`Slack invitation processed: ${inviteResult.status}`)
+      console.log(`Successfully processed Slack invitation for ${member.email}: ${inviteResult.status}`)
     } else {
       // Update member record to reflect failed invitation
       member.slackInviteStatus = 'failed'
       await member.save()
       
-      console.error(`Failed to process Slack invitation: ${inviteResult.error}`)
+      console.error(`Failed to process Slack invitation for ${member.email}: ${inviteResult.error}`)
       // Don't throw error - member creation should still succeed
     }
   } catch (error) {
@@ -75,30 +73,32 @@ export default defineEventHandler(async (event) => {
   // Ensure database is connected
   await connectDB()
   
-  const validatedData = await validateBody(event, memberCreateSchema)
-
+  const body = await readBody(event)
+  
   try {
     // Check if member already exists
-    const existingMember = await Member.findOne({ email: validatedData.email })
+    const existingMember = await Member.findOne({ email: body.email })
     if (existingMember) {
-      throw createError({
-        statusCode: 409,
-        statusMessage: 'A member with this email already exists'
+      throw createError({ 
+        statusCode: 409, 
+        statusMessage: 'A member with this email already exists' 
       })
     }
-
-    const member = new Member(validatedData)
+    
+    const member = new Member(body)
     await member.save()
     
     // Send Slack invitation for new members
     await inviteToSlack(member)
     
     // TODO: Process payment with Helcim if not free tier
-    if (requiresPayment(validatedData.contributionTier)) {
+    if (requiresPayment(body.contributionTier)) {
       // Payment processing will be added here
+      console.log('Payment processing needed for tier:', body.contributionTier)
     }
-
+    
     // TODO: Send welcome email
+    console.log('Welcome email should be sent to:', body.email)
     
     return { success: true, member }
   } catch (error) {
diff --git a/server/api/members/directory.get.js b/server/api/members/directory.get.js
index 3598647..70c614e 100644
--- a/server/api/members/directory.get.js
+++ b/server/api/members/directory.get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
 
   if (token) {
     try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+      const decoded = jwt.verify(token, process.env.JWT_SECRET);
       currentMemberId = decoded.memberId;
       isAuthenticated = true;
     } catch (err) {
@@ -46,11 +46,9 @@ export default defineEventHandler(async (event) => {
 
   // Search by name or bio
   if (search) {
-    // Escape special regex characters to prevent ReDoS
-    const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
     dbQuery.$or = [
-      { name: { $regex: escaped, $options: "i" } },
-      { bio: { $regex: escaped, $options: "i" } },
+      { name: { $regex: search, $options: "i" } },
+      { bio: { $regex: search, $options: "i" } },
     ];
   }
 
@@ -62,12 +60,11 @@ export default defineEventHandler(async (event) => {
     ];
     // If search is also present, combine with AND
     if (search) {
-      const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
       dbQuery.$and = [
         {
           $or: [
-            { name: { $regex: escaped, $options: "i" } },
-            { bio: { $regex: escaped, $options: "i" } },
+            { name: { $regex: search, $options: "i" } },
+            { bio: { $regex: search, $options: "i" } },
           ],
         },
         {
diff --git a/server/api/members/me/peer-support.patch.js b/server/api/members/me/peer-support.patch.js
index b130346..e9b9887 100644
--- a/server/api/members/me/peer-support.patch.js
+++ b/server/api/members/me/peer-support.patch.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/members/profile.patch.js b/server/api/members/profile.patch.js
index bd396d6..67eb598 100644
--- a/server/api/members/profile.patch.js
+++ b/server/api/members/profile.patch.js
@@ -1,16 +1,34 @@
+import jwt from "jsonwebtoken";
 import Member from "../../models/member.js";
-import { requireAuth } from "../../utils/auth.js";
-import { validateBody } from "../../utils/validateBody.js";
-import { memberProfileUpdateSchema } from "../../utils/schemas.js";
+import { connectDB } from "../../utils/mongoose.js";
 
 export default defineEventHandler(async (event) => {
-  const authedMember = await requireAuth(event);
-  const memberId = authedMember._id;
+  await connectDB();
 
-  const body = await validateBody(event, memberProfileUpdateSchema);
+  const token = getCookie(event, "auth-token");
 
-  // Profile fields from validated body
-  const profileFields = [
+  if (!token) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Not authenticated",
+    });
+  }
+
+  let memberId;
+  try {
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    memberId = decoded.memberId;
+  } catch (err) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or expired token",
+    });
+  }
+
+  const body = await readBody(event);
+
+  // Define allowed profile fields
+  const allowedFields = [
     "pronouns",
     "timeZone",
     "avatar",
@@ -19,9 +37,10 @@ export default defineEventHandler(async (event) => {
     "location",
     "socialLinks",
     "showInDirectory",
+    "helcimCustomerId",
   ];
 
-  // Privacy fields from validated body
+  // Define privacy fields
   const privacyFields = [
     "pronounsPrivacy",
     "timeZonePrivacy",
@@ -34,10 +53,10 @@ export default defineEventHandler(async (event) => {
     "lookingForPrivacy",
   ];
 
-  // Build update object from validated data
+  // Build update object
   const updateData = {};
 
-  profileFields.forEach((field) => {
+  allowedFields.forEach((field) => {
     if (body[field] !== undefined) {
       updateData[field] = body[field];
     }
@@ -75,7 +94,7 @@ export default defineEventHandler(async (event) => {
     if (!member) {
       throw createError({
         statusCode: 404,
-        statusMessage: "Member not found",
+        message: "Member not found",
       });
     }
 
@@ -98,11 +117,10 @@ export default defineEventHandler(async (event) => {
       showInDirectory: member.showInDirectory,
     };
   } catch (error) {
-    if (error.statusCode) throw error;
     console.error("Profile update error:", error);
     throw createError({
       statusCode: 500,
-      statusMessage: "Failed to update profile",
+      message: "Failed to update profile",
     });
   }
 });
diff --git a/server/api/members/update-contribution.post.js b/server/api/members/update-contribution.post.js
index 6749880..7ff8736 100644
--- a/server/api/members/update-contribution.post.js
+++ b/server/api/members/update-contribution.post.js
@@ -27,7 +27,7 @@ export default defineEventHandler(async (event) => {
     // Decode JWT token
     let decoded;
     try {
-      decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+      decoded = jwt.verify(token, process.env.JWT_SECRET);
     } catch (err) {
       throw createError({
         statusCode: 401,
diff --git a/server/api/peer-support.get.js b/server/api/peer-support.get.js
index e99f68c..04c5977 100644
--- a/server/api/peer-support.get.js
+++ b/server/api/peer-support.get.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
 
   if (token) {
     try {
-      jwt.verify(token, useRuntimeConfig().jwtSecret);
+      jwt.verify(token, process.env.JWT_SECRET);
       isAuthenticated = true;
     } catch (err) {
       isAuthenticated = false;
diff --git a/server/api/slack/test-bot.get.ts b/server/api/slack/test-bot.get.ts
new file mode 100644
index 0000000..65b8ba5
--- /dev/null
+++ b/server/api/slack/test-bot.get.ts
@@ -0,0 +1,68 @@
+import { WebClient } from '@slack/web-api'
+
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig()
+  
+  if (!config.slackBotToken) {
+    return {
+      success: false,
+      error: 'Slack bot token not configured'
+    }
+  }
+
+  const client = new WebClient(config.slackBotToken)
+
+  try {
+    // Test basic API access
+    const authTest = await client.auth.test()
+    console.log('Auth test result:', authTest)
+
+    // Test if admin API is available
+    let adminApiAvailable = false
+    let adminError = null
+    
+    try {
+      // Try to call admin.users.list to test admin API access
+      await client.admin.users.list({ limit: 1 })
+      adminApiAvailable = true
+    } catch (error: any) {
+      adminError = error.data?.error || error.message
+      console.log('Admin API test failed:', adminError)
+    }
+
+    // Test channel access if channel ID is configured
+    let channelAccess = false
+    let channelError = null
+    
+    if (config.slackVettingChannelId) {
+      try {
+        const channelInfo = await client.conversations.info({
+          channel: config.slackVettingChannelId
+        })
+        channelAccess = !!channelInfo.channel
+      } catch (error: any) {
+        channelError = error.data?.error || error.message
+      }
+    }
+
+    return {
+      success: true,
+      botInfo: {
+        user: authTest.user,
+        team: authTest.team,
+        url: authTest.url
+      },
+      adminApiAvailable,
+      adminError: adminApiAvailable ? null : adminError,
+      channelAccess,
+      channelError: channelAccess ? null : channelError,
+      channelId: config.slackVettingChannelId || 'Not configured'
+    }
+
+  } catch (error: any) {
+    return {
+      success: false,
+      error: error.data?.error || error.message || 'Unknown error'
+    }
+  }
+})
\ No newline at end of file
diff --git a/server/api/test/peer-support-debug.get.js b/server/api/test/peer-support-debug.get.js
index 4073cb2..09c169d 100644
--- a/server/api/test/peer-support-debug.get.js
+++ b/server/api/test/peer-support-debug.get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({ statusCode: 401, statusMessage: "Invalid token" });
diff --git a/server/api/updates/[id].delete.js b/server/api/updates/[id].delete.js
index aeedd95..ed7dda2 100644
--- a/server/api/updates/[id].delete.js
+++ b/server/api/updates/[id].delete.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/[id].get.js b/server/api/updates/[id].get.js
index d17ecaf..6dda80f 100644
--- a/server/api/updates/[id].get.js
+++ b/server/api/updates/[id].get.js
@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+      const decoded = jwt.verify(token, process.env.JWT_SECRET);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/updates/[id].patch.js b/server/api/updates/[id].patch.js
index a1cf726..fcd5e5c 100644
--- a/server/api/updates/[id].patch.js
+++ b/server/api/updates/[id].patch.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/index.get.js b/server/api/updates/index.get.js
index f6f5d90..2cb28fb 100644
--- a/server/api/updates/index.get.js
+++ b/server/api/updates/index.get.js
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+      const decoded = jwt.verify(token, process.env.JWT_SECRET);
       memberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/updates/index.post.js b/server/api/updates/index.post.js
index 8f1e330..97d659a 100644
--- a/server/api/updates/index.post.js
+++ b/server/api/updates/index.post.js
@@ -1,8 +1,6 @@
 import jwt from "jsonwebtoken";
 import Update from "../../models/update.js";
 import { connectDB } from "../../utils/mongoose.js";
-import { validateBody } from "../../utils/validateBody.js";
-import { updateCreateSchema } from "../../utils/schemas.js";
 
 export default defineEventHandler(async (event) => {
   await connectDB();
@@ -18,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
@@ -27,7 +25,14 @@ export default defineEventHandler(async (event) => {
     });
   }
 
-  const body = await validateBody(event, updateCreateSchema);
+  const body = await readBody(event);
+
+  if (!body.content || !body.content.trim()) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Content is required",
+    });
+  }
 
   try {
     const update = await Update.create({
@@ -43,7 +48,6 @@ export default defineEventHandler(async (event) => {
 
     return update;
   } catch (error) {
-    if (error.statusCode) throw error;
     console.error("Create update error:", error);
     throw createError({
       statusCode: 500,
diff --git a/server/api/updates/my-updates.get.js b/server/api/updates/my-updates.get.js
index 084d787..60e6da5 100644
--- a/server/api/updates/my-updates.get.js
+++ b/server/api/updates/my-updates.get.js
@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
 
   let memberId;
   try {
-    const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
     memberId = decoded.memberId;
   } catch (err) {
     throw createError({
diff --git a/server/api/updates/user/[id].get.js b/server/api/updates/user/[id].get.js
index d5de64a..7eee274 100644
--- a/server/api/updates/user/[id].get.js
+++ b/server/api/updates/user/[id].get.js
@@ -13,7 +13,7 @@ export default defineEventHandler(async (event) => {
   // Check if user is authenticated
   if (token) {
     try {
-      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
+      const decoded = jwt.verify(token, process.env.JWT_SECRET);
       currentMemberId = decoded.memberId;
     } catch (err) {
       // Token invalid, continue as non-member
diff --git a/server/api/upload/image.post.js b/server/api/upload/image.post.js
index 9842fa2..b9fb9d5 100644
--- a/server/api/upload/image.post.js
+++ b/server/api/upload/image.post.js
@@ -1,5 +1,4 @@
 import { v2 as cloudinary } from 'cloudinary'
-import { requireAuth } from '../../utils/auth.js'
 
 // Configure Cloudinary
 cloudinary.config({
@@ -10,7 +9,6 @@ cloudinary.config({
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event)
     // Parse the multipart form data
     const formData = await readMultipartFormData(event)
     
@@ -39,15 +37,6 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    // Validate file size (10MB limit)
-    const maxSize = 10 * 1024 * 1024
-    if (fileData.data.length > maxSize) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'File too large. Maximum size is 10MB.'
-      })
-    }
-
     // Convert buffer to base64 for Cloudinary upload
     const base64File = `data:${fileData.type};base64,${fileData.data.toString('base64')}`
 
diff --git a/server/middleware/01.csrf.js b/server/middleware/01.csrf.js
deleted file mode 100644
index 3f3e841..0000000
--- a/server/middleware/01.csrf.js
+++ /dev/null
@@ -1,47 +0,0 @@
-import crypto from 'crypto'
-
-const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
-
-// Routes exempt from CSRF (external webhooks, magic link verify)
-const EXEMPT_PREFIXES = [
-  '/api/helcim/webhook',
-  '/api/slack/webhook',
-  '/api/auth/verify',
-  '/oidc/',
-]
-
-function isExempt(path) {
-  return EXEMPT_PREFIXES.some(prefix => path.startsWith(prefix))
-}
-
-export default defineEventHandler((event) => {
-  const method = getMethod(event)
-  const path = getRequestURL(event).pathname
-
-  // Always set a CSRF token cookie if one doesn't exist
-  let csrfToken = getCookie(event, 'csrf-token')
-  if (!csrfToken) {
-    csrfToken = crypto.randomBytes(32).toString('hex')
-    setCookie(event, 'csrf-token', csrfToken, {
-      httpOnly: false, // Must be readable by JS to include in requests
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'lax',
-      path: '/'
-    })
-  }
-
-  // Only check state-changing methods
-  if (SAFE_METHODS.has(method)) return
-  if (!path.startsWith('/api/')) return
-  if (isExempt(path)) return
-
-  // Double-submit cookie check: header must match cookie
-  const headerToken = getHeader(event, 'x-csrf-token')
-
-  if (!headerToken || headerToken !== csrfToken) {
-    throw createError({
-      statusCode: 403,
-      statusMessage: 'CSRF token missing or invalid'
-    })
-  }
-})
diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
deleted file mode 100644
index f29ce86..0000000
--- a/server/middleware/02.security-headers.js
+++ /dev/null
@@ -1,30 +0,0 @@
-export default defineEventHandler((event) => {
-  const headers = {
-    'X-Content-Type-Options': 'nosniff',
-    'X-Frame-Options': 'DENY',
-    'X-XSS-Protection': '0',
-    'Referrer-Policy': 'strict-origin-when-cross-origin',
-    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
-  }
-
-  if (process.env.NODE_ENV === 'production') {
-    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
-
-    // CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
-    headers['Content-Security-Policy'] = [
-      "default-src 'self'",
-      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
-      "font-src 'self'",
-      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
-      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
-      "base-uri 'self'",
-      "form-action 'self'",
-    ].join('; ')
-  }
-
-  for (const [key, value] of Object.entries(headers)) {
-    setHeader(event, key, value)
-  }
-})
diff --git a/server/middleware/03.rate-limit.js b/server/middleware/03.rate-limit.js
deleted file mode 100644
index 2641598..0000000
--- a/server/middleware/03.rate-limit.js
+++ /dev/null
@@ -1,65 +0,0 @@
-import { RateLimiterMemory } from 'rate-limiter-flexible'
-
-// Strict rate limit for auth endpoints
-const authLimiter = new RateLimiterMemory({
-  points: 5,     // 5 requests
-  duration: 300, // per 5 minutes
-  keyPrefix: 'rl_auth'
-})
-
-// Moderate rate limit for payment endpoints
-const paymentLimiter = new RateLimiterMemory({
-  points: 10,
-  duration: 60,
-  keyPrefix: 'rl_payment'
-})
-
-// Light rate limit for upload endpoints
-const uploadLimiter = new RateLimiterMemory({
-  points: 10,
-  duration: 60,
-  keyPrefix: 'rl_upload'
-})
-
-// General API rate limit
-const generalLimiter = new RateLimiterMemory({
-  points: 100,
-  duration: 60,
-  keyPrefix: 'rl_general'
-})
-
-function getClientIp(event) {
-  return getHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
-    || getHeader(event, 'x-real-ip')
-    || event.node.req.socket.remoteAddress
-    || 'unknown'
-}
-
-const AUTH_PATHS = new Set(['/api/auth/login'])
-const PAYMENT_PREFIXES = ['/api/helcim/']
-const UPLOAD_PATHS = new Set(['/api/upload/image'])
-
-export default defineEventHandler(async (event) => {
-  const path = getRequestURL(event).pathname
-  if (!path.startsWith('/api/')) return
-
-  const ip = getClientIp(event)
-
-  try {
-    if (AUTH_PATHS.has(path)) {
-      await authLimiter.consume(ip)
-    } else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
-      await paymentLimiter.consume(ip)
-    } else if (UPLOAD_PATHS.has(path)) {
-      await uploadLimiter.consume(ip)
-    } else {
-      await generalLimiter.consume(ip)
-    }
-  } catch (rateLimiterRes) {
-    setHeader(event, 'Retry-After', Math.ceil(rateLimiterRes.msBeforeNext / 1000))
-    throw createError({
-      statusCode: 429,
-      statusMessage: 'Too many requests. Please try again later.'
-    })
-  }
-})
diff --git a/server/models/member.js b/server/models/member.js
index aa00bf2..7dcdad0 100644
--- a/server/models/member.js
+++ b/server/models/member.js
@@ -22,11 +22,6 @@ const memberSchema = new mongoose.Schema({
     enum: getValidContributionValues(),
     required: true,
   },
-  role: {
-    type: String,
-    enum: ["member", "admin"],
-    default: "member",
-  },
   status: {
     type: String,
     enum: ["pending_payment", "active", "suspended", "cancelled"],
diff --git a/server/plugins/validate-env.js b/server/plugins/validate-env.js
deleted file mode 100644
index 886ae6e..0000000
--- a/server/plugins/validate-env.js
+++ /dev/null
@@ -1,9 +0,0 @@
-export default defineNitroPlugin(() => {
-  const config = useRuntimeConfig()
-
-  if (!config.jwtSecret) {
-    console.error('FATAL: JWT_SECRET environment variable is not set. Server cannot start without it.')
-    console.error('Set JWT_SECRET in your .env file or environment variables.')
-    process.exit(1)
-  }
-})
diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts
deleted file mode 100644
index 8afa4af..0000000
--- a/server/routes/.well-known/openid-configuration.get.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Forward /.well-known/openid-configuration to the oidc-provider.
- *
- * The provider generates this discovery document automatically, but since the
- * catch-all route is mounted under /oidc/, requests to /.well-known/ need
- * explicit forwarding.
- */
-import { getOidcProvider } from "../../utils/oidc-provider.js";
-
-export default defineEventHandler(async (event) => {
-  const provider = await getOidcProvider();
-  const { req, res } = event.node;
-
-  // The provider expects the path relative to its root
-  req.url = "/.well-known/openid-configuration";
-
-  // Traefik terminates TLS — tell the provider we're on https
-  req.headers["x-forwarded-proto"] = "https";
-
-  const callback = provider.callback() as Function;
-  await new Promise<void>((resolve, reject) => {
-    callback(req, res, (err: unknown) => {
-      if (err) reject(err);
-      else resolve();
-    });
-  });
-});
diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
deleted file mode 100644
index 39528f0..0000000
--- a/server/routes/oidc/[...].ts
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * Catch-all route that delegates all /oidc/* requests to the oidc-provider.
- *
- * This exposes the standard OIDC endpoints:
- *   /oidc/auth          — authorization
- *   /oidc/token         — token exchange
- *   /oidc/me            — userinfo
- *   /oidc/session/end   — logout
- *   /oidc/jwks          — JSON Web Key Set
- */
-import { getOidcProvider } from "../../utils/oidc-provider.js";
-
-export default defineEventHandler(async (event) => {
-  const provider = await getOidcProvider();
-  const { req, res } = event.node;
-
-  // The provider's routes config includes the /oidc prefix,
-  // so pass the full path through without stripping.
-
-  // Traefik terminates TLS — tell the provider we're on https
-  req.headers["x-forwarded-proto"] = "https";
-
-  // Hand off to oidc-provider's Connect-style callback
-  const callback = provider.callback() as Function;
-  await new Promise<void>((resolve, reject) => {
-    callback(req, res, (err: unknown) => {
-      if (err) reject(err);
-      else resolve();
-    });
-  });
-});
diff --git a/server/routes/oidc/interaction/[uid].get.ts b/server/routes/oidc/interaction/[uid].get.ts
deleted file mode 100644
index ad6ad5a..0000000
--- a/server/routes/oidc/interaction/[uid].get.ts
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * OIDC interaction handler — checks for an existing Ghost Guild session.
- *
- * Flow:
- * 1. Outline redirects user to /oidc/auth
- * 2. oidc-provider creates an interaction and redirects here
- * 3. If the user has a valid auth-token cookie → complete the interaction (SSO)
- * 4. Otherwise → redirect to the OIDC login page
- */
-import jwt from "jsonwebtoken";
-import Member from "../../../models/member.js";
-import { connectDB } from "../../../utils/mongoose.js";
-import { getOidcProvider } from "../../../utils/oidc-provider.js";
-
-export default defineEventHandler(async (event) => {
-  const provider = await getOidcProvider();
-  const uid = getRouterParam(event, "uid")!;
-
-  // Load the interaction details from oidc-provider
-  const interactionDetails = await provider.interactionDetails(
-    event.node.req,
-    event.node.res
-  );
-  const { prompt } = interactionDetails;
-
-  // ----- Login prompt -----
-  if (prompt.name === "login") {
-    // Check for existing Ghost Guild session
-    const token = getCookie(event, "auth-token");
-
-    if (token) {
-      try {
-        const config = useRuntimeConfig();
-        const decoded = jwt.verify(token, config.jwtSecret) as {
-          memberId: string;
-        };
-
-        await connectDB();
-        const member = await (Member as any).findById(decoded.memberId);
-
-        if (
-          member &&
-          member.status !== "suspended" &&
-          member.status !== "cancelled"
-        ) {
-          // Auto-complete the login interaction (SSO)
-          const result = {
-            login: { accountId: member._id.toString() },
-          };
-          await provider.interactionFinished(
-            event.node.req,
-            event.node.res,
-            result,
-            { mergeWithLastSubmission: false }
-          );
-          return;
-        }
-      } catch {
-        // Token invalid — fall through to login page
-      }
-    }
-
-    // No valid session — redirect to login page
-    return sendRedirect(event, `/oidc/login?uid=${uid}`, 302);
-  }
-
-  // ----- Consent prompt -----
-  if (prompt.name === "consent") {
-    // Auto-approve consent for our first-party client
-    const grant = interactionDetails.grantId
-      ? await provider.Grant.find(interactionDetails.grantId)
-      : new provider.Grant({
-          accountId: interactionDetails.session!.accountId,
-          clientId: interactionDetails.params.client_id as string,
-        });
-
-    if (grant) {
-      grant.addOIDCScope("openid profile email");
-      await grant.save();
-
-      const result = { consent: { grantId: grant.jti } };
-      await provider.interactionFinished(
-        event.node.req,
-        event.node.res,
-        result,
-        { mergeWithLastSubmission: true }
-      );
-      return;
-    }
-  }
-
-  // Fallback — shouldn't reach here normally
-  throw createError({ statusCode: 400, statusMessage: "Unknown interaction" });
-});
diff --git a/server/routes/oidc/interaction/login.post.ts b/server/routes/oidc/interaction/login.post.ts
deleted file mode 100644
index d342dbc..0000000
--- a/server/routes/oidc/interaction/login.post.ts
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Handle magic link login request during OIDC interaction flow.
- *
- * POST /oidc/interaction/login
- * Body: { email: string, uid: string }
- *
- * Sends a magic link email. The link includes the OIDC interaction uid so the
- * verify step can complete the interaction after authenticating.
- */
-import jwt from "jsonwebtoken";
-import { Resend } from "resend";
-import Member from "../../../models/member.js";
-import { connectDB } from "../../../utils/mongoose.js";
-
-const resend = new Resend(process.env.RESEND_API_KEY);
-
-export default defineEventHandler(async (event) => {
-  await connectDB();
-
-  const body = await readBody(event);
-  const email = body?.email?.trim()?.toLowerCase();
-  const uid = body?.uid;
-
-  if (!email || !uid) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Email and interaction uid are required",
-    });
-  }
-
-  const GENERIC_MESSAGE =
-    "If this email is registered, we've sent a login link.";
-
-  const member = await (Member as any).findOne({ email });
-  if (!member) {
-    return { success: true, message: GENERIC_MESSAGE };
-  }
-
-  const config = useRuntimeConfig(event);
-  const token = jwt.sign(
-    { memberId: member._id, oidcUid: uid },
-    config.jwtSecret,
-    { expiresIn: "15m" }
-  );
-
-  const headers = getHeaders(event);
-  const baseUrl =
-    process.env.BASE_URL ||
-    `${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
-
-  try {
-    await resend.emails.send({
-      from: "Ghost Guild <ghostguild@babyghosts.org>",
-      to: email,
-      subject: "Sign in to Ghost Guild Wiki",
-      html: `
-        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
-          <h2 style="color: #2563eb;">Sign in to the Ghost Guild Wiki</h2>
-          <p>Click the button below to sign in:</p>
-          <div style="text-align: center; margin: 30px 0;">
-            <a href="${baseUrl}/oidc/interaction/verify?token=${token}"
-               style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
-              Sign In
-            </a>
-          </div>
-          <p style="color: #666; font-size: 14px;">
-            This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.
-          </p>
-        </div>
-      `,
-    });
-
-    return { success: true, message: GENERIC_MESSAGE };
-  } catch (error) {
-    console.error("Failed to send OIDC login email:", error);
-    throw createError({
-      statusCode: 500,
-      statusMessage: "Failed to send login email. Please try again.",
-    });
-  }
-});
diff --git a/server/routes/oidc/interaction/verify.get.ts b/server/routes/oidc/interaction/verify.get.ts
deleted file mode 100644
index 30b447b..0000000
--- a/server/routes/oidc/interaction/verify.get.ts
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Verify magic link token and complete the OIDC login interaction.
- *
- * GET /oidc/interaction/verify?token=...
- *
- * This is the endpoint the magic link email points to. It:
- * 1. Verifies the JWT token
- * 2. Sets the Ghost Guild session cookie (so future logins are SSO)
- * 3. Completes the OIDC interaction so the user is redirected back to Outline
- */
-import jwt from "jsonwebtoken";
-import Member from "../../../models/member.js";
-import { connectDB } from "../../../utils/mongoose.js";
-import { getOidcProvider } from "../../../utils/oidc-provider.js";
-
-export default defineEventHandler(async (event) => {
-  const { token } = getQuery(event);
-
-  if (!token) {
-    throw createError({ statusCode: 400, statusMessage: "Token is required" });
-  }
-
-  const config = useRuntimeConfig(event);
-
-  let decoded: { memberId: string; oidcUid: string };
-  try {
-    decoded = jwt.verify(token as string, config.jwtSecret) as typeof decoded;
-  } catch {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Invalid or expired token",
-    });
-  }
-
-  await connectDB();
-  const member = await (Member as any).findById(decoded.memberId);
-
-  if (!member) {
-    throw createError({ statusCode: 404, statusMessage: "Member not found" });
-  }
-
-  if (member.status === "suspended" || member.status === "cancelled") {
-    throw createError({
-      statusCode: 403,
-      statusMessage: `Account is ${member.status}`,
-    });
-  }
-
-  // Set Ghost Guild session cookie for future SSO
-  const sessionToken = jwt.sign(
-    { memberId: member._id, email: member.email },
-    config.jwtSecret,
-    { expiresIn: "7d" }
-  );
-
-  setCookie(event, "auth-token", sessionToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
-    sameSite: "lax",
-    maxAge: 60 * 60 * 24 * 7,
-  });
-
-  // Complete the OIDC interaction
-  const provider = await getOidcProvider();
-  const result = {
-    login: { accountId: member._id.toString() },
-  };
-
-  await provider.interactionFinished(
-    event.node.req,
-    event.node.res,
-    result,
-    { mergeWithLastSubmission: false }
-  );
-});
diff --git a/server/utils/auth.js b/server/utils/auth.js
deleted file mode 100644
index a0cacfc..0000000
--- a/server/utils/auth.js
+++ /dev/null
@@ -1,65 +0,0 @@
-import jwt from 'jsonwebtoken'
-import Member from '../models/member.js'
-import { connectDB } from './mongoose.js'
-
-/**
- * Verify JWT from cookie and return the decoded member.
- * Throws 401 if token is missing or invalid.
- */
-export async function requireAuth(event) {
-  await connectDB()
-
-  const token = getCookie(event, 'auth-token')
-
-  if (!token) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Authentication required'
-    })
-  }
-
-  let decoded
-  try {
-    decoded = jwt.verify(token, useRuntimeConfig().jwtSecret)
-  } catch (err) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Invalid or expired token'
-    })
-  }
-
-  const member = await Member.findById(decoded.memberId)
-
-  if (!member) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Member not found'
-    })
-  }
-
-  if (member.status === 'suspended' || member.status === 'cancelled') {
-    throw createError({
-      statusCode: 403,
-      statusMessage: 'Account is ' + member.status
-    })
-  }
-
-  return member
-}
-
-/**
- * Verify JWT and require admin role.
- * Throws 401 if not authenticated, 403 if not admin.
- */
-export async function requireAdmin(event) {
-  const member = await requireAuth(event)
-
-  if (member.role !== 'admin') {
-    throw createError({
-      statusCode: 403,
-      statusMessage: 'Admin access required'
-    })
-  }
-
-  return member
-}
diff --git a/server/utils/escapeHtml.js b/server/utils/escapeHtml.js
deleted file mode 100644
index d7c105d..0000000
--- a/server/utils/escapeHtml.js
+++ /dev/null
@@ -1,18 +0,0 @@
-const ESCAPE_MAP = {
-  '&': '&amp;',
-  '<': '&lt;',
-  '>': '&gt;',
-  '"': '&quot;',
-  "'": '&#39;'
-}
-
-const ESCAPE_RE = /[&<>"']/g
-
-/**
- * Escape HTML special characters to prevent XSS in email templates.
- * Returns empty string for null/undefined input.
- */
-export function escapeHtml(str) {
-  if (str == null) return ''
-  return String(str).replace(ESCAPE_RE, (ch) => ESCAPE_MAP[ch])
-}
diff --git a/server/utils/oidc-mongodb-adapter.ts b/server/utils/oidc-mongodb-adapter.ts
deleted file mode 100644
index f47f3b8..0000000
--- a/server/utils/oidc-mongodb-adapter.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-/**
- * MongoDB adapter for oidc-provider.
- *
- * Stores OIDC tokens, sessions, and grants in an `oidc_payloads` collection
- * with TTL indexes for automatic cleanup. Uses the existing Mongoose connection.
- */
-import mongoose from "mongoose";
-import { connectDB } from "./mongoose.js";
-
-const collectionName = "oidc_payloads";
-
-type MongoPayload = {
-  _id: string;
-  payload: Record<string, unknown>;
-  expiresAt?: Date;
-  userCode?: string;
-  uid?: string;
-  grantId?: string;
-};
-
-let collectionReady = false;
-
-async function getCollection() {
-  await connectDB();
-  const db = mongoose.connection.db!;
-  const col = db.collection<MongoPayload>(collectionName);
-
-  if (!collectionReady) {
-    // TTL index — MongoDB automatically removes documents after expiresAt
-    await col
-      .createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 })
-      .catch(() => {});
-    // Lookup indexes
-    await col.createIndex({ "payload.grantId": 1 }).catch(() => {});
-    await col.createIndex({ "payload.userCode": 1 }).catch(() => {});
-    await col.createIndex({ "payload.uid": 1 }).catch(() => {});
-    collectionReady = true;
-  }
-
-  return col;
-}
-
-function prefixedId(model: string, id: string) {
-  return `${model}:${id}`;
-}
-
-export class MongoAdapter {
-  model: string;
-
-  constructor(model: string) {
-    this.model = model;
-  }
-
-  async upsert(
-    id: string,
-    payload: Record<string, unknown>,
-    expiresIn: number
-  ) {
-    const col = await getCollection();
-    const expiresAt = expiresIn
-      ? new Date(Date.now() + expiresIn * 1000)
-      : undefined;
-
-    await col.updateOne(
-      { _id: prefixedId(this.model, id) as any },
-      {
-        $set: {
-          payload,
-          ...(expiresAt ? { expiresAt } : {}),
-        },
-      },
-      { upsert: true }
-    );
-  }
-
-  async find(id: string) {
-    const col = await getCollection();
-    const doc = await col.findOne({ _id: prefixedId(this.model, id) as any });
-    if (!doc) return undefined;
-    return doc.payload;
-  }
-
-  async findByUserCode(userCode: string) {
-    const col = await getCollection();
-    const doc = await col.findOne({ "payload.userCode": userCode });
-    if (!doc) return undefined;
-    return doc.payload;
-  }
-
-  async findByUid(uid: string) {
-    const col = await getCollection();
-    const doc = await col.findOne({ "payload.uid": uid });
-    if (!doc) return undefined;
-    return doc.payload;
-  }
-
-  async consume(id: string) {
-    const col = await getCollection();
-    await col.updateOne(
-      { _id: prefixedId(this.model, id) as any },
-      { $set: { "payload.consumed": Math.floor(Date.now() / 1000) } }
-    );
-  }
-
-  async destroy(id: string) {
-    const col = await getCollection();
-    await col.deleteOne({ _id: prefixedId(this.model, id) as any });
-  }
-
-  async revokeByGrantId(grantId: string) {
-    const col = await getCollection();
-    await col.deleteMany({ "payload.grantId": grantId });
-  }
-}
diff --git a/server/utils/oidc-provider.ts b/server/utils/oidc-provider.ts
deleted file mode 100644
index 37d5d19..0000000
--- a/server/utils/oidc-provider.ts
+++ /dev/null
@@ -1,136 +0,0 @@
-/**
- * OIDC Provider configuration for Ghost Guild.
- *
- * ghostguild.org acts as the identity provider. Outline wiki is the sole
- * relying party (client). Members authenticate via the existing magic-link
- * flow, and the provider issues standard OIDC tokens so Outline can identify
- * them.
- */
-import Provider from "oidc-provider";
-import { MongoAdapter } from "./oidc-mongodb-adapter.js";
-import Member from "../models/member.js";
-import { connectDB } from "./mongoose.js";
-
-let _provider: InstanceType<typeof Provider> | null = null;
-
-export async function getOidcProvider() {
-  if (_provider) return _provider;
-
-  const config = useRuntimeConfig();
-  const issuer =
-    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
-
-  _provider = new Provider(issuer, {
-    adapter: MongoAdapter,
-
-    // Trust X-Forwarded-Proto from Traefik reverse proxy
-    proxy: true,
-
-    clients: [
-      {
-        client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
-        client_secret: process.env.OIDC_CLIENT_SECRET || "",
-        redirect_uris: [
-          "https://wiki.ghostguild.org/auth/oidc.callback",
-          // Local development callback
-          "http://localhost:3100/auth/oidc.callback",
-        ],
-        post_logout_redirect_uris: [
-          "https://wiki.ghostguild.org",
-          "http://localhost:3100",
-        ],
-        grant_types: ["authorization_code", "refresh_token"],
-        response_types: ["code"],
-        token_endpoint_auth_method: "client_secret_post",
-      },
-    ],
-
-    claims: {
-      openid: ["sub"],
-      profile: ["name", "preferred_username"],
-      email: ["email", "email_verified"],
-    },
-
-    scopes: ["openid", "profile", "email", "offline_access"],
-
-    findAccount: async (_ctx: unknown, id: string) => {
-      await connectDB();
-      const member = await (Member as any).findById(id);
-      if (!member) return undefined;
-
-      return {
-        accountId: id,
-        async claims(_use: string, _scope: string) {
-          return {
-            sub: id,
-            name: member.name,
-            preferred_username: member.name,
-            email: member.email,
-            email_verified: true,
-          };
-        },
-      };
-    },
-
-    cookies: {
-      keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
-    },
-
-    ttl: {
-      AccessToken: 3600, // 1 hour
-      AuthorizationCode: 600, // 10 minutes
-      RefreshToken: 14 * 24 * 60 * 60, // 14 days
-      Session: 14 * 24 * 60 * 60, // 14 days
-      Interaction: 600, // 10 minutes
-      Grant: 14 * 24 * 60 * 60, // 14 days
-    },
-
-    features: {
-      devInteractions: {
-        enabled: process.env.NODE_ENV !== "production",
-      },
-      revocation: { enabled: true },
-      rpInitiatedLogout: { enabled: true },
-    },
-
-    // Mount all OIDC endpoints under /oidc prefix
-    routes: {
-      authorization: "/oidc/auth",
-      backchannel_authentication: "/oidc/backchannel",
-      code_verification: "/oidc/device",
-      device_authorization: "/oidc/device/auth",
-      end_session: "/oidc/session/end",
-      introspection: "/oidc/token/introspection",
-      jwks: "/oidc/jwks",
-      pushed_authorization_request: "/oidc/request",
-      registration: "/oidc/reg",
-      revocation: "/oidc/token/revocation",
-      token: "/oidc/token",
-      userinfo: "/oidc/me",
-    },
-
-    interactions: {
-      url(_ctx: unknown, interaction: { uid: string }) {
-        return `/oidc/interaction/${interaction.uid}`;
-      },
-    },
-
-    // Allow Outline to use PKCE but don't require it
-    pkce: {
-      required: () => false,
-    },
-
-    // Skip consent for our first-party Outline client
-    loadExistingGrant: async (ctx: any) => {
-      const grant = new (ctx.oidc.provider.Grant as any)({
-        accountId: ctx.oidc.session!.accountId,
-        clientId: ctx.oidc.client!.clientId,
-      });
-      grant.addOIDCScope("openid profile email");
-      await grant.save();
-      return grant;
-    },
-  });
-
-  return _provider;
-}
diff --git a/server/utils/resend.js b/server/utils/resend.js
index 5f0b179..9317328 100644
--- a/server/utils/resend.js
+++ b/server/utils/resend.js
@@ -1,5 +1,4 @@
 import { Resend } from "resend";
-import { escapeHtml } from "./escapeHtml.js";
 
 const resend = new Resend(process.env.RESEND_API_KEY);
 
@@ -34,7 +33,7 @@ export async function sendEventRegistrationEmail(registration, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@babyghosts.org>",
       to: [registration.email],
-      subject: `You're registered for ${escapeHtml(eventData.title)}`,
+      subject: `You're registered for ${eventData.title}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -106,9 +105,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${escapeHtml(registration.name)},</p>
+              <p>Hi ${registration.name},</p>
 
-              <p>Thank you for registering for <strong>${escapeHtml(eventData.title)}</strong>!</p>
+              <p>Thank you for registering for <strong>${eventData.title}</strong>!</p>
 
               <div class="event-details">
                 <div class="detail-row">
@@ -123,11 +122,11 @@ export async function sendEventRegistrationEmail(registration, eventData) {
 
                 <div class="detail-row">
                   <div class="label">Location</div>
-                  <div class="value">${escapeHtml(eventData.location)}</div>
+                  <div class="value">${eventData.location}</div>
                 </div>
               </div>
 
-              ${eventData.description ? `<p>${escapeHtml(eventData.description)}</p>` : ""}
+              ${eventData.description ? `<p>${eventData.description}</p>` : ""}
 
               ${
                 registration.ticketType &&
@@ -149,7 +148,7 @@ export async function sendEventRegistrationEmail(registration, eventData) {
                       ? `
                   <div class="detail-row">
                     <div class="label">Transaction ID</div>
-                    <div class="value" style="font-size: 12px; font-family: monospace;">${escapeHtml(registration.paymentId)}</div>
+                    <div class="value" style="font-size: 12px; font-family: monospace;">${registration.paymentId}</div>
                   </div>
                   `
                       : ""
@@ -212,7 +211,7 @@ export async function sendEventCancellationEmail(registration, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@ghostguild.org>",
       to: [registration.email],
-      subject: `Registration cancelled: ${escapeHtml(eventData.title)}`,
+      subject: `Registration cancelled: ${eventData.title}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -265,9 +264,9 @@ export async function sendEventCancellationEmail(registration, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${escapeHtml(registration.name)},</p>
+              <p>Hi ${registration.name},</p>
 
-              <p>Your registration for <strong>${escapeHtml(eventData.title)}</strong> has been cancelled.</p>
+              <p>Your registration for <strong>${eventData.title}</strong> has been cancelled.</p>
 
               <p>We're sorry you can't make it. You can always register again if your plans change.</p>
 
@@ -333,7 +332,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@ghostguild.org>",
       to: [waitlistEntry.email],
-      subject: `A spot opened up for ${escapeHtml(eventData.title)}!`,
+      subject: `A spot opened up for ${eventData.title}!`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -414,9 +413,9 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
             </div>
 
             <div class="content">
-              <p>Hi ${escapeHtml(waitlistEntry.name)},</p>
+              <p>Hi ${waitlistEntry.name},</p>
 
-              <p>Great news! A spot has become available for <strong>${escapeHtml(eventData.title)}</strong>, and you're on the waitlist.</p>
+              <p>Great news! A spot has become available for <strong>${eventData.title}</strong>, and you're on the waitlist.</p>
 
               <div class="urgent">
                 <p style="margin: 0; font-weight: 600; color: #92400e;">
@@ -427,7 +426,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
               <div class="event-details">
                 <div class="detail-row">
                   <div class="label">Event</div>
-                  <div class="value">${escapeHtml(eventData.title)}</div>
+                  <div class="value">${eventData.title}</div>
                 </div>
 
                 <div class="detail-row">
@@ -442,7 +441,7 @@ export async function sendWaitlistNotificationEmail(waitlistEntry, eventData) {
 
                 <div class="detail-row">
                   <div class="label">Location</div>
-                  <div class="value">${escapeHtml(eventData.location)}</div>
+                  <div class="value">${eventData.location}</div>
                 </div>
               </div>
 
@@ -530,7 +529,7 @@ export async function sendSeriesPassConfirmation(options) {
     const { data, error } = await resend.emails.send({
       from: "Ghost Guild <events@babyghosts.org>",
       to: [to],
-      subject: `Your Series Pass for ${escapeHtml(series.title)}`,
+      subject: `Your Series Pass for ${series.title}`,
       html: `
         <!DOCTYPE html>
         <html>
@@ -621,10 +620,10 @@ export async function sendSeriesPassConfirmation(options) {
             </div>
 
             <div class="content">
-              <p style="font-size: 18px; margin-bottom: 10px;">Hi ${escapeHtml(name)},</p>
+              <p style="font-size: 18px; margin-bottom: 10px;">Hi ${name},</p>
 
               <p>
-                Great news! Your series pass for <strong>${escapeHtml(series.title)}</strong> is confirmed.
+                Great news! Your series pass for <strong>${series.title}</strong> is confirmed.
                 You're now registered for all ${events.length} events in this ${seriesTypeLabels[series.type] || "series"}.
               </p>
 
@@ -648,7 +647,7 @@ export async function sendSeriesPassConfirmation(options) {
 
                 <div class="detail-row">
                   <div class="label">Series</div>
-                  <div class="value">${escapeHtml(series.title)}</div>
+                  <div class="value">${series.title}</div>
                 </div>
 
                 ${
@@ -656,7 +655,7 @@ export async function sendSeriesPassConfirmation(options) {
                     ? `
                 <div class="detail-row">
                   <div class="label">About</div>
-                  <div class="value">${escapeHtml(series.description)}</div>
+                  <div class="value">${series.description}</div>
                 </div>
                 `
                     : ""
@@ -677,7 +676,7 @@ export async function sendSeriesPassConfirmation(options) {
                     ? `
                 <div class="detail-row">
                   <div class="label">Transaction ID</div>
-                  <div class="value" style="font-family: monospace; font-size: 14px;">${escapeHtml(paymentId)}</div>
+                  <div class="value" style="font-family: monospace; font-size: 14px;">${paymentId}</div>
                 </div>
                 `
                     : ""
@@ -700,7 +699,7 @@ export async function sendSeriesPassConfirmation(options) {
                     (event, index) => `
                   <div class="event-item">
                     <div style="font-weight: 600; color: #7c3aed; margin-bottom: 5px;">
-                      Event ${index + 1}: ${escapeHtml(event.title)}
+                      Event ${index + 1}: ${event.title}
                     </div>
                     <div style="font-size: 14px; color: #666; margin: 5px 0;">
                       📅 ${formatDate(event.startDate)}
@@ -709,7 +708,7 @@ export async function sendSeriesPassConfirmation(options) {
                       🕐 ${formatTime(event.startDate, event.endDate)}
                     </div>
                     <div style="font-size: 14px; color: #666; margin: 5px 0;">
-                      📍 ${escapeHtml(event.location)}
+                      📍 ${event.location}
                     </div>
                   </div>
                 `,
diff --git a/server/utils/schemas.js b/server/utils/schemas.js
deleted file mode 100644
index 5278098..0000000
--- a/server/utils/schemas.js
+++ /dev/null
@@ -1,96 +0,0 @@
-import * as z from 'zod'
-
-const privacyEnum = z.enum(['public', 'members', 'private'])
-
-export const emailSchema = z.object({
-  email: z.string().trim().toLowerCase().email()
-})
-
-export const memberCreateSchema = z.object({
-  email: z.string().trim().toLowerCase().email(),
-  name: z.string().min(1).max(200),
-  circle: z.enum(['community', 'founder', 'practitioner']),
-  contributionTier: z.enum(['0', '5', '15', '30', '50'])
-})
-
-export const memberProfileUpdateSchema = z.object({
-  pronouns: z.string().max(100).optional(),
-  timeZone: z.string().max(100).optional(),
-  avatar: z.union([z.string().url().max(500), z.literal('')]).optional(),
-  studio: z.string().max(200).optional(),
-  bio: z.string().max(5000).optional(),
-  location: z.string().max(200).optional(),
-  socialLinks: z.object({
-    mastodon: z.string().max(300).optional(),
-    linkedin: z.string().max(300).optional(),
-    website: z.string().max(300).optional(),
-    other: z.string().max(300).optional()
-  }).optional(),
-  offering: z.object({
-    text: z.string().max(2000).optional(),
-    tags: z.array(z.string().max(100)).max(20).optional()
-  }).optional(),
-  lookingFor: z.object({
-    text: z.string().max(2000).optional(),
-    tags: z.array(z.string().max(100)).max(20).optional()
-  }).optional(),
-  showInDirectory: z.boolean().optional(),
-  pronounsPrivacy: privacyEnum.optional(),
-  timeZonePrivacy: privacyEnum.optional(),
-  avatarPrivacy: privacyEnum.optional(),
-  studioPrivacy: privacyEnum.optional(),
-  bioPrivacy: privacyEnum.optional(),
-  locationPrivacy: privacyEnum.optional(),
-  socialLinksPrivacy: privacyEnum.optional(),
-  offeringPrivacy: privacyEnum.optional(),
-  lookingForPrivacy: privacyEnum.optional()
-})
-
-export const eventRegistrationSchema = z.object({
-  name: z.string().min(1).max(200),
-  email: z.string().trim().toLowerCase().email(),
-  dietary: z.boolean().optional()
-})
-
-export const updateCreateSchema = z.object({
-  content: z.string().min(1).max(50000),
-  images: z.array(z.string().url()).max(20).optional(),
-  privacy: z.enum(['public', 'members', 'private']).optional(),
-  commentsEnabled: z.boolean().optional()
-})
-
-export const paymentVerifySchema = z.object({
-  cardToken: z.string().min(1),
-  customerId: z.string().min(1)
-})
-
-export const adminEventCreateSchema = z.object({
-  title: z.string().min(1).max(500),
-  description: z.string().min(1).max(50000),
-  startDate: z.string().min(1),
-  endDate: z.string().min(1),
-  location: z.string().max(500).optional(),
-  maxAttendees: z.number().int().positive().optional(),
-  membersOnly: z.boolean().optional(),
-  registrationDeadline: z.string().optional(),
-  pricing: z.object({
-    paymentRequired: z.boolean().optional(),
-    isFree: z.boolean().optional()
-  }).optional(),
-  tickets: z.object({
-    enabled: z.boolean().optional(),
-    public: z.object({
-      available: z.boolean().optional(),
-      name: z.string().max(200).optional(),
-      description: z.string().max(2000).optional(),
-      price: z.number().min(0).optional(),
-      quantity: z.number().int().positive().optional(),
-      earlyBirdPrice: z.number().min(0).optional(),
-      earlyBirdDeadline: z.string().optional()
-    }).optional()
-  }).optional(),
-  image: z.string().url().optional(),
-  category: z.string().max(100).optional(),
-  tags: z.array(z.string().max(100)).max(20).optional(),
-  series: z.string().optional()
-})
diff --git a/server/utils/validateBody.js b/server/utils/validateBody.js
deleted file mode 100644
index 63f1f96..0000000
--- a/server/utils/validateBody.js
+++ /dev/null
@@ -1,12 +0,0 @@
-export async function validateBody(event, schema) {
-  const body = await readBody(event)
-  const result = schema.safeParse(body)
-  if (!result.success) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: 'Validation failed',
-      data: result.error.flatten().fieldErrors
-    })
-  }
-  return result.data
-}
diff --git a/tests/client/composables/useMarkdown.test.js b/tests/client/composables/useMarkdown.test.js
deleted file mode 100644
index c78e6b0..0000000
--- a/tests/client/composables/useMarkdown.test.js
+++ /dev/null
@@ -1,110 +0,0 @@
-import { describe, it, expect } from 'vitest'
-import { useMarkdown } from '../../../app/composables/useMarkdown.js'
-
-describe('useMarkdown', () => {
-  const { render } = useMarkdown()
-
-  describe('XSS prevention', () => {
-    it('strips script tags', () => {
-      const result = render('Hello <script>alert("xss")</script> world')
-      expect(result).not.toContain('<script>')
-      expect(result).not.toContain('</script>')
-      expect(result).toContain('Hello')
-      expect(result).toContain('world')
-    })
-
-    it('strips onerror attributes', () => {
-      const result = render('<img onerror="alert(1)" src="x">')
-      expect(result).not.toContain('onerror')
-    })
-
-    it('strips onclick attributes', () => {
-      const result = render('<a onclick="alert(1)" href="#">click</a>')
-      expect(result).not.toContain('onclick')
-    })
-
-    it('strips iframe tags', () => {
-      const result = render('<iframe src="https://evil.com"></iframe>')
-      expect(result).not.toContain('<iframe')
-    })
-
-    it('strips object tags', () => {
-      const result = render('<object data="exploit.swf"></object>')
-      expect(result).not.toContain('<object')
-    })
-
-    it('strips embed tags', () => {
-      const result = render('<embed src="exploit.swf">')
-      expect(result).not.toContain('<embed')
-    })
-
-    it('sanitizes javascript: URIs', () => {
-      const result = render('[click me](javascript:alert(1))')
-      expect(result).not.toContain('javascript:')
-    })
-
-    it('strips img tags (not in allowed list)', () => {
-      const result = render('![alt](https://example.com/img.png)')
-      expect(result).not.toContain('<img')
-    })
-  })
-
-  describe('preserves safe markdown', () => {
-    it('renders bold and italic', () => {
-      const result = render('**bold** and *italic*')
-      expect(result).toContain('<strong>bold</strong>')
-      expect(result).toContain('<em>italic</em>')
-    })
-
-    it('renders links with href', () => {
-      const result = render('[Ghost Guild](https://ghostguild.org)')
-      expect(result).toContain('<a')
-      expect(result).toContain('href="https://ghostguild.org"')
-    })
-
-    it('preserves headings h1-h6', () => {
-      for (let i = 1; i <= 6; i++) {
-        const hashes = '#'.repeat(i)
-        const result = render(`${hashes} Heading ${i}`)
-        expect(result).toContain(`<h${i}>`)
-      }
-    })
-
-    it('preserves code blocks', () => {
-      const result = render('`inline code` and\n\n```\nblock code\n```')
-      expect(result).toContain('<code>')
-      expect(result).toContain('<pre>')
-    })
-
-    it('preserves blockquotes', () => {
-      const result = render('> This is a quote')
-      expect(result).toContain('<blockquote>')
-    })
-
-    it('preserves lists', () => {
-      const result = render('- item 1\n- item 2')
-      expect(result).toContain('<ul>')
-      expect(result).toContain('<li>')
-    })
-
-    it('preserves allowed attributes: href, target, rel, class', () => {
-      // DOMPurify allows href on <a> tags
-      const result = render('[link](https://example.com)')
-      expect(result).toContain('href=')
-    })
-  })
-
-  describe('edge cases', () => {
-    it('returns empty string for null', () => {
-      expect(render(null)).toBe('')
-    })
-
-    it('returns empty string for undefined', () => {
-      expect(render(undefined)).toBe('')
-    })
-
-    it('returns empty string for empty string', () => {
-      expect(render('')).toBe('')
-    })
-  })
-})
diff --git a/tests/server/api/auth-login.test.js b/tests/server/api/auth-login.test.js
deleted file mode 100644
index 828240b..0000000
--- a/tests/server/api/auth-login.test.js
+++ /dev/null
@@ -1,113 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../../server/models/member.js', () => ({
-  default: { findOne: vi.fn() }
-}))
-
-vi.mock('../../../server/utils/mongoose.js', () => ({
-  connectDB: vi.fn()
-}))
-
-vi.mock('jsonwebtoken', () => ({
-  default: { sign: vi.fn().mockReturnValue('mock-jwt-token') }
-}))
-
-vi.mock('resend', () => ({
-  Resend: class MockResend {
-    constructor() {
-      this.emails = { send: vi.fn().mockResolvedValue({ id: 'email-123' }) }
-    }
-  }
-}))
-
-import Member from '../../../server/models/member.js'
-import loginHandler from '../../../server/api/auth/login.post.js'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-
-describe('auth login endpoint', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('returns generic success message for existing member', async () => {
-    Member.findOne.mockResolvedValue({
-      _id: 'member-123',
-      email: 'exists@example.com'
-    })
-
-    const event = createMockEvent({
-      method: 'POST',
-      path: '/api/auth/login',
-      body: { email: 'exists@example.com' },
-      headers: { host: 'localhost:3000' }
-    })
-
-    const result = await loginHandler(event)
-
-    expect(result).toEqual({
-      success: true,
-      message: "If this email is registered, we've sent a login link."
-    })
-  })
-
-  it('returns identical response for non-existing member (anti-enumeration)', async () => {
-    Member.findOne.mockResolvedValue(null)
-
-    const event = createMockEvent({
-      method: 'POST',
-      path: '/api/auth/login',
-      body: { email: 'nonexistent@example.com' },
-      headers: { host: 'localhost:3000' }
-    })
-
-    const result = await loginHandler(event)
-
-    expect(result).toEqual({
-      success: true,
-      message: "If this email is registered, we've sent a login link."
-    })
-  })
-
-  it('both existing and non-existing produce same shape and message', async () => {
-    // Existing member
-    Member.findOne.mockResolvedValue({ _id: 'member-123', email: 'a@b.com' })
-    const event1 = createMockEvent({
-      method: 'POST',
-      path: '/api/auth/login',
-      body: { email: 'a@b.com' },
-      headers: { host: 'localhost:3000' }
-    })
-    const result1 = await loginHandler(event1)
-
-    vi.clearAllMocks()
-
-    // Non-existing member
-    Member.findOne.mockResolvedValue(null)
-    const event2 = createMockEvent({
-      method: 'POST',
-      path: '/api/auth/login',
-      body: { email: 'nobody@example.com' },
-      headers: { host: 'localhost:3000' }
-    })
-    const result2 = await loginHandler(event2)
-
-    // Response shape and message must be identical
-    expect(Object.keys(result1).sort()).toEqual(Object.keys(result2).sort())
-    expect(result1.success).toBe(result2.success)
-    expect(result1.message).toBe(result2.message)
-  })
-
-  it('throws 400 when email is missing from body', async () => {
-    const event = createMockEvent({
-      method: 'POST',
-      path: '/api/auth/login',
-      body: {},
-      headers: { host: 'localhost:3000' }
-    })
-
-    await expect(loginHandler(event)).rejects.toMatchObject({
-      statusCode: 400,
-      statusMessage: 'Validation failed'
-    })
-  })
-})
diff --git a/tests/server/api/members-profile-patch.test.js b/tests/server/api/members-profile-patch.test.js
deleted file mode 100644
index d18436c..0000000
--- a/tests/server/api/members-profile-patch.test.js
+++ /dev/null
@@ -1,157 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../../server/utils/auth.js', () => ({
-  requireAuth: vi.fn()
-}))
-
-vi.mock('../../../server/models/member.js', () => ({
-  default: { findByIdAndUpdate: vi.fn() }
-}))
-
-import { requireAuth } from '../../../server/utils/auth.js'
-import Member from '../../../server/models/member.js'
-import profilePatchHandler from '../../../server/api/members/profile.patch.js'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-
-describe('members profile PATCH endpoint', () => {
-  const mockMember = {
-    _id: 'member-123',
-    email: 'test@example.com',
-    name: 'Test User',
-    circle: 'community',
-    contributionTier: 5,
-    pronouns: 'they/them',
-    timeZone: 'America/New_York',
-    avatar: 'https://example.com/avatar.jpg',
-    studio: 'Test Studio',
-    bio: 'Updated bio',
-    location: 'NYC',
-    socialLinks: { twitter: '@test' },
-    offering: { text: 'help', tags: ['code'] },
-    lookingFor: { text: 'feedback', tags: ['design'] },
-    showInDirectory: true
-  }
-
-  beforeEach(() => {
-    vi.clearAllMocks()
-    requireAuth.mockResolvedValue({ _id: 'member-123' })
-    Member.findByIdAndUpdate.mockResolvedValue(mockMember)
-  })
-
-  describe('field allowlist - forbidden fields are rejected', () => {
-    it('does not pass helcimCustomerId to database update', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: { bio: 'new bio', helcimCustomerId: 'hacked-id' }
-      })
-
-      await profilePatchHandler(event)
-
-      const updateCall = Member.findByIdAndUpdate.mock.calls[0]
-      const setData = updateCall[1].$set
-      expect(setData).not.toHaveProperty('helcimCustomerId')
-      expect(setData).toHaveProperty('bio', 'new bio')
-    })
-
-    it('does not pass role to database update', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: { bio: 'new bio', role: 'admin' }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData).not.toHaveProperty('role')
-    })
-
-    it('does not pass status to database update', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: { bio: 'new bio', status: 'active' }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData).not.toHaveProperty('status')
-    })
-
-    it('does not pass email to database update', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: { bio: 'new bio', email: 'hacked@evil.com' }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData).not.toHaveProperty('email')
-    })
-
-    it('does not pass _id to database update', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: { bio: 'new bio', _id: 'different-id' }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData).not.toHaveProperty('_id')
-    })
-  })
-
-  describe('field allowlist - allowed fields pass through', () => {
-    it('passes allowed profile fields through', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: {
-          pronouns: 'they/them',
-          bio: 'Updated bio',
-          studio: 'Test Studio',
-          location: 'NYC',
-          timeZone: 'America/New_York',
-          avatar: 'https://example.com/avatar.jpg',
-          showInDirectory: true,
-          socialLinks: { twitter: '@test' }
-        }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData).toHaveProperty('pronouns', 'they/them')
-      expect(setData).toHaveProperty('bio', 'Updated bio')
-      expect(setData).toHaveProperty('studio', 'Test Studio')
-      expect(setData).toHaveProperty('location', 'NYC')
-      expect(setData).toHaveProperty('timeZone', 'America/New_York')
-      expect(setData).toHaveProperty('avatar', 'https://example.com/avatar.jpg')
-      expect(setData).toHaveProperty('showInDirectory', true)
-      expect(setData).toHaveProperty('socialLinks')
-    })
-
-    it('passes offering and lookingFor nested objects through', async () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        body: {
-          offering: { text: 'mentoring', tags: ['code', 'design'] },
-          lookingFor: { text: 'feedback', tags: ['art'] }
-        }
-      })
-
-      await profilePatchHandler(event)
-
-      const setData = Member.findByIdAndUpdate.mock.calls[0][1].$set
-      expect(setData.offering).toEqual({ text: 'mentoring', tags: ['code', 'design'] })
-      expect(setData.lookingFor).toEqual({ text: 'feedback', tags: ['art'] })
-    })
-  })
-})
diff --git a/tests/server/api/validation.test.js b/tests/server/api/validation.test.js
deleted file mode 100644
index 5d1ac9e..0000000
--- a/tests/server/api/validation.test.js
+++ /dev/null
@@ -1,273 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-import {
-  emailSchema,
-  memberCreateSchema,
-  memberProfileUpdateSchema,
-  eventRegistrationSchema,
-  updateCreateSchema,
-  paymentVerifySchema,
-  adminEventCreateSchema
-} from '../../../server/utils/schemas.js'
-import { validateBody } from '../../../server/utils/validateBody.js'
-
-// --- Schema unit tests ---
-
-describe('emailSchema', () => {
-  it('accepts a valid email', () => {
-    const result = emailSchema.safeParse({ email: 'test@example.com' })
-    expect(result.success).toBe(true)
-    expect(result.data.email).toBe('test@example.com')
-  })
-
-  it('rejects a malformed email', () => {
-    const result = emailSchema.safeParse({ email: 'not-an-email' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects missing email', () => {
-    const result = emailSchema.safeParse({})
-    expect(result.success).toBe(false)
-  })
-
-  it('trims and lowercases email', () => {
-    const result = emailSchema.safeParse({ email: '  Test@EXAMPLE.COM  ' })
-    expect(result.success).toBe(true)
-    expect(result.data.email).toBe('test@example.com')
-  })
-})
-
-describe('memberCreateSchema', () => {
-  const validMember = {
-    email: 'new@example.com',
-    name: 'Test User',
-    circle: 'community',
-    contributionTier: '0'
-  }
-
-  it('accepts valid member data', () => {
-    const result = memberCreateSchema.safeParse(validMember)
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects role field (mass assignment)', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, role: 'admin' })
-    expect(result.success).toBe(true)
-    // role should NOT be in the output
-    expect(result.data).not.toHaveProperty('role')
-  })
-
-  it('rejects status field (mass assignment)', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, status: 'active' })
-    expect(result.success).toBe(true)
-    expect(result.data).not.toHaveProperty('status')
-  })
-
-  it('rejects helcimCustomerId field (mass assignment)', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, helcimCustomerId: 'cust_123' })
-    expect(result.success).toBe(true)
-    expect(result.data).not.toHaveProperty('helcimCustomerId')
-  })
-
-  it('rejects _id field (mass assignment)', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, _id: '507f1f77bcf86cd799439011' })
-    expect(result.success).toBe(true)
-    expect(result.data).not.toHaveProperty('_id')
-  })
-
-  it('rejects invalid circle enum', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, circle: 'superadmin' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects invalid contributionTier enum', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, contributionTier: '999' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects missing required fields', () => {
-    const result = memberCreateSchema.safeParse({ email: 'test@example.com' })
-    expect(result.success).toBe(false)
-  })
-
-  it('lowercases email', () => {
-    const result = memberCreateSchema.safeParse({ ...validMember, email: 'NEW@Example.COM' })
-    expect(result.success).toBe(true)
-    expect(result.data.email).toBe('new@example.com')
-  })
-})
-
-describe('eventRegistrationSchema', () => {
-  it('accepts valid registration', () => {
-    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'jane@example.com' })
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects missing name', () => {
-    const result = eventRegistrationSchema.safeParse({ email: 'jane@example.com' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects malformed email', () => {
-    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'bad' })
-    expect(result.success).toBe(false)
-  })
-
-  it('lowercases email', () => {
-    const result = eventRegistrationSchema.safeParse({ name: 'Jane', email: 'JANE@Example.COM' })
-    expect(result.success).toBe(true)
-    expect(result.data.email).toBe('jane@example.com')
-  })
-})
-
-describe('updateCreateSchema', () => {
-  it('accepts valid content', () => {
-    const result = updateCreateSchema.safeParse({ content: 'Hello world' })
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects empty content', () => {
-    const result = updateCreateSchema.safeParse({ content: '' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects content exceeding 50000 chars', () => {
-    const result = updateCreateSchema.safeParse({ content: 'a'.repeat(50001) })
-    expect(result.success).toBe(false)
-  })
-
-  it('accepts content at exactly 50000 chars', () => {
-    const result = updateCreateSchema.safeParse({ content: 'a'.repeat(50000) })
-    expect(result.success).toBe(true)
-  })
-
-  it('validates images are URLs', () => {
-    const result = updateCreateSchema.safeParse({
-      content: 'test',
-      images: ['not-a-url']
-    })
-    expect(result.success).toBe(false)
-  })
-
-  it('accepts valid images array', () => {
-    const result = updateCreateSchema.safeParse({
-      content: 'test',
-      images: ['https://example.com/img.png']
-    })
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects more than 20 images', () => {
-    const images = Array.from({ length: 21 }, (_, i) => `https://example.com/img${i}.png`)
-    const result = updateCreateSchema.safeParse({ content: 'test', images })
-    expect(result.success).toBe(false)
-  })
-
-  it('validates privacy enum', () => {
-    const result = updateCreateSchema.safeParse({ content: 'test', privacy: 'invalid' })
-    expect(result.success).toBe(false)
-  })
-})
-
-describe('paymentVerifySchema', () => {
-  it('accepts valid card token and customer ID', () => {
-    const result = paymentVerifySchema.safeParse({ cardToken: 'tok_123', customerId: 'cust_456' })
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects missing cardToken', () => {
-    const result = paymentVerifySchema.safeParse({ customerId: 'cust_456' })
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects empty cardToken', () => {
-    const result = paymentVerifySchema.safeParse({ cardToken: '', customerId: 'cust_456' })
-    expect(result.success).toBe(false)
-  })
-})
-
-describe('adminEventCreateSchema', () => {
-  const validEvent = {
-    title: 'Test Event',
-    description: 'A test event',
-    startDate: '2026-04-01T10:00:00Z',
-    endDate: '2026-04-01T12:00:00Z'
-  }
-
-  it('accepts valid event data', () => {
-    const result = adminEventCreateSchema.safeParse(validEvent)
-    expect(result.success).toBe(true)
-  })
-
-  it('rejects missing title', () => {
-    const { title, ...rest } = validEvent
-    const result = adminEventCreateSchema.safeParse(rest)
-    expect(result.success).toBe(false)
-  })
-
-  it('rejects missing dates', () => {
-    const { startDate, endDate, ...rest } = validEvent
-    const result = adminEventCreateSchema.safeParse({ ...rest, title: 'Test' })
-    expect(result.success).toBe(false)
-  })
-})
-
-describe('memberProfileUpdateSchema', () => {
-  it('rejects role in profile update', () => {
-    const result = memberProfileUpdateSchema.safeParse({ role: 'admin', bio: 'test' })
-    expect(result.success).toBe(true)
-    expect(result.data).not.toHaveProperty('role')
-  })
-
-  it('rejects status in profile update', () => {
-    const result = memberProfileUpdateSchema.safeParse({ status: 'active', bio: 'test' })
-    expect(result.success).toBe(true)
-    expect(result.data).not.toHaveProperty('status')
-  })
-
-  it('validates privacy enum values', () => {
-    const result = memberProfileUpdateSchema.safeParse({ bioPrivacy: 'invalid' })
-    expect(result.success).toBe(false)
-  })
-
-  it('accepts valid privacy values', () => {
-    const result = memberProfileUpdateSchema.safeParse({ bioPrivacy: 'public' })
-    expect(result.success).toBe(true)
-  })
-})
-
-// --- validateBody integration tests ---
-
-describe('validateBody', () => {
-  it('returns validated data on success', async () => {
-    const event = createMockEvent({
-      method: 'POST',
-      body: { email: 'test@example.com' }
-    })
-    const data = await validateBody(event, emailSchema)
-    expect(data.email).toBe('test@example.com')
-  })
-
-  it('throws 400 on validation failure', async () => {
-    const event = createMockEvent({
-      method: 'POST',
-      body: { email: 'bad' }
-    })
-    await expect(validateBody(event, emailSchema)).rejects.toMatchObject({
-      statusCode: 400,
-      statusMessage: 'Validation failed'
-    })
-  })
-
-  it('strips unknown fields from output', async () => {
-    const event = createMockEvent({
-      method: 'POST',
-      body: { email: 'test@example.com', name: 'Test', circle: 'community', contributionTier: '0', role: 'admin', _id: 'fake' }
-    })
-    const data = await validateBody(event, memberCreateSchema)
-    expect(data).not.toHaveProperty('role')
-    expect(data).not.toHaveProperty('_id')
-    expect(data.email).toBe('test@example.com')
-    expect(data.name).toBe('Test')
-  })
-})
diff --git a/tests/server/helpers/createMockEvent.js b/tests/server/helpers/createMockEvent.js
deleted file mode 100644
index 922f9cd..0000000
--- a/tests/server/helpers/createMockEvent.js
+++ /dev/null
@@ -1,72 +0,0 @@
-import { IncomingMessage, ServerResponse } from 'node:http'
-import { Socket } from 'node:net'
-import { createEvent } from 'h3'
-
-/**
- * Create a real h3 event backed by real Node.js request/response objects.
- *
- * Options:
- *   method        - HTTP method (default 'GET')
- *   path          - Request path (default '/')
- *   headers       - Object of request headers
- *   cookies       - Object of cookie key/value pairs (serialized to cookie header)
- *   body          - Request body (will be JSON-serialized)
- *   remoteAddress - Client IP (default '127.0.0.1')
- */
-export function createMockEvent(options = {}) {
-  const {
-    method = 'GET',
-    path = '/',
-    headers = {},
-    cookies = {},
-    body = undefined,
-    remoteAddress = '127.0.0.1'
-  } = options
-
-  // Build cookie header from cookies object
-  const cookiePairs = Object.entries(cookies).map(([k, v]) => `${k}=${v}`)
-  if (cookiePairs.length > 0) {
-    headers.cookie = [headers.cookie, cookiePairs.join('; ')].filter(Boolean).join('; ')
-  }
-
-  // Build a real IncomingMessage
-  const socket = new Socket()
-  // remoteAddress is a getter-only property on Socket, so use defineProperty
-  Object.defineProperty(socket, 'remoteAddress', {
-    value: remoteAddress,
-    writable: true,
-    configurable: true
-  })
-  const req = new IncomingMessage(socket)
-  req.method = method
-  req.url = path
-  req.headers = Object.fromEntries(
-    Object.entries(headers).map(([k, v]) => [k.toLowerCase(), v])
-  )
-
-  // If body is provided, push it into the request stream so readBody can consume it
-  if (body !== undefined) {
-    const bodyStr = typeof body === 'string' ? body : JSON.stringify(body)
-    req.headers['content-type'] = req.headers['content-type'] || 'application/json'
-    req.headers['content-length'] = Buffer.byteLength(bodyStr).toString()
-    req.push(bodyStr)
-    req.push(null)
-  }
-
-  const res = new ServerResponse(req)
-
-  // Capture response headers for test assertions
-  const setHeaders = {}
-  const originalSetHeader = res.setHeader.bind(res)
-  res.setHeader = (name, value) => {
-    setHeaders[name.toLowerCase()] = value
-    return originalSetHeader(name, value)
-  }
-
-  const event = createEvent(req, res)
-
-  // Attach captured headers for test access
-  event._testSetHeaders = setHeaders
-
-  return event
-}
diff --git a/tests/server/middleware/csrf.test.js b/tests/server/middleware/csrf.test.js
deleted file mode 100644
index bedca8f..0000000
--- a/tests/server/middleware/csrf.test.js
+++ /dev/null
@@ -1,127 +0,0 @@
-import { describe, it, expect, beforeEach } from 'vitest'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-
-// Import the handler — defineEventHandler is a global passthrough,
-// so the default export is the raw handler function.
-import csrfMiddleware from '../../../server/middleware/01.csrf.js'
-
-describe('CSRF middleware', () => {
-  describe('safe methods bypass', () => {
-    it.each(['GET', 'HEAD', 'OPTIONS'])('%s requests pass through', (method) => {
-      const event = createMockEvent({ method, path: '/api/test' })
-      expect(() => csrfMiddleware(event)).not.toThrow()
-    })
-  })
-
-  describe('non-API paths bypass', () => {
-    it('POST to non-/api/ path passes through', () => {
-      const event = createMockEvent({ method: 'POST', path: '/some/page' })
-      expect(() => csrfMiddleware(event)).not.toThrow()
-    })
-  })
-
-  describe('exempt routes bypass', () => {
-    it.each([
-      '/api/helcim/webhook',
-      '/api/slack/webhook',
-      '/api/auth/verify'
-    ])('POST to %s passes through', (path) => {
-      const event = createMockEvent({ method: 'POST', path })
-      expect(() => csrfMiddleware(event)).not.toThrow()
-    })
-  })
-
-  describe('CSRF enforcement on state-changing API requests', () => {
-    it('throws 403 when POST to /api/* has no x-csrf-token header', () => {
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/members/profile',
-        cookies: { 'csrf-token': 'abc123' }
-      })
-
-      expect(() => csrfMiddleware(event)).toThrowError(
-        expect.objectContaining({
-          statusCode: 403,
-          statusMessage: 'CSRF token missing or invalid'
-        })
-      )
-    })
-
-    it('throws 403 when header and cookie tokens do not match', () => {
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/members/profile',
-        cookies: { 'csrf-token': 'cookie-token' },
-        headers: { 'x-csrf-token': 'different-token' }
-      })
-
-      expect(() => csrfMiddleware(event)).toThrowError(
-        expect.objectContaining({
-          statusCode: 403,
-          statusMessage: 'CSRF token missing or invalid'
-        })
-      )
-    })
-
-    it('passes when header and cookie tokens match', () => {
-      const token = 'matching-token-value'
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/members/profile',
-        cookies: { 'csrf-token': token },
-        headers: { 'x-csrf-token': token }
-      })
-
-      expect(() => csrfMiddleware(event)).not.toThrow()
-    })
-
-    it('enforces CSRF on DELETE requests', () => {
-      const event = createMockEvent({
-        method: 'DELETE',
-        path: '/api/admin/events/123',
-        cookies: { 'csrf-token': 'abc' }
-      })
-
-      expect(() => csrfMiddleware(event)).toThrowError(
-        expect.objectContaining({ statusCode: 403 })
-      )
-    })
-
-    it('enforces CSRF on PATCH requests', () => {
-      const event = createMockEvent({
-        method: 'PATCH',
-        path: '/api/members/profile',
-        cookies: { 'csrf-token': 'abc' }
-      })
-
-      expect(() => csrfMiddleware(event)).toThrowError(
-        expect.objectContaining({ statusCode: 403 })
-      )
-    })
-  })
-
-  describe('cookie provisioning', () => {
-    it('sets csrf-token cookie when none exists', () => {
-      const event = createMockEvent({ method: 'GET', path: '/api/test' })
-      csrfMiddleware(event)
-
-      // The middleware calls setCookie which sets a Set-Cookie header
-      const setCookieHeader = event._testSetHeaders['set-cookie']
-      expect(setCookieHeader).toBeDefined()
-      expect(setCookieHeader).toContain('csrf-token=')
-    })
-
-    it('does not set a new cookie when one already exists', () => {
-      const event = createMockEvent({
-        method: 'GET',
-        path: '/api/test',
-        cookies: { 'csrf-token': 'existing-token' }
-      })
-      csrfMiddleware(event)
-
-      const setCookieHeader = event._testSetHeaders['set-cookie']
-      // Should not have set a new cookie
-      expect(setCookieHeader).toBeUndefined()
-    })
-  })
-})
diff --git a/tests/server/middleware/rate-limit.test.js b/tests/server/middleware/rate-limit.test.js
deleted file mode 100644
index 2f81a62..0000000
--- a/tests/server/middleware/rate-limit.test.js
+++ /dev/null
@@ -1,95 +0,0 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-
-describe('rate-limit middleware', () => {
-  // Fresh import per describe block to get fresh limiter instances
-  let rateLimitMiddleware
-
-  beforeEach(async () => {
-    vi.resetModules()
-    const mod = await import('../../../server/middleware/03.rate-limit.js')
-    rateLimitMiddleware = mod.default
-  })
-
-  describe('non-API paths', () => {
-    it('skips rate limiting for non-/api/ paths', async () => {
-      const event = createMockEvent({ path: '/about', remoteAddress: '10.0.0.1' })
-      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-    })
-  })
-
-  describe('auth endpoint limiting (5 per 5 min)', () => {
-    it('allows 5 requests then blocks the 6th', async () => {
-      const ip = '10.0.1.1'
-
-      // First 5 should succeed
-      for (let i = 0; i < 5; i++) {
-        const event = createMockEvent({
-          method: 'POST',
-          path: '/api/auth/login',
-          remoteAddress: ip
-        })
-        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-      }
-
-      // 6th should be rate limited
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/auth/login',
-        remoteAddress: ip
-      })
-      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
-        statusCode: 429
-      })
-
-      // Check Retry-After header was set
-      expect(event._testSetHeaders['retry-after']).toBeDefined()
-    })
-  })
-
-  describe('payment endpoint limiting (10 per min)', () => {
-    it('allows 10 requests then blocks the 11th', async () => {
-      const ip = '10.0.2.1'
-
-      for (let i = 0; i < 10; i++) {
-        const event = createMockEvent({
-          method: 'POST',
-          path: '/api/helcim/initialize-payment',
-          remoteAddress: ip
-        })
-        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-      }
-
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/helcim/initialize-payment',
-        remoteAddress: ip
-      })
-      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
-        statusCode: 429
-      })
-    })
-  })
-
-  describe('IP isolation', () => {
-    it('different IPs have separate rate limit counters', async () => {
-      // Exhaust limit for IP A
-      for (let i = 0; i < 5; i++) {
-        const event = createMockEvent({
-          method: 'POST',
-          path: '/api/auth/login',
-          remoteAddress: '10.0.3.1'
-        })
-        await rateLimitMiddleware(event)
-      }
-
-      // IP B should still be able to make requests
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/auth/login',
-        remoteAddress: '10.0.3.2'
-      })
-      await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-    })
-  })
-})
diff --git a/tests/server/middleware/security-headers.test.js b/tests/server/middleware/security-headers.test.js
deleted file mode 100644
index e6b50b1..0000000
--- a/tests/server/middleware/security-headers.test.js
+++ /dev/null
@@ -1,106 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-import securityHeadersMiddleware from '../../../server/middleware/02.security-headers.js'
-
-describe('security-headers middleware', () => {
-  const originalNodeEnv = process.env.NODE_ENV
-
-  afterEach(() => {
-    process.env.NODE_ENV = originalNodeEnv
-  })
-
-  describe('always-present headers', () => {
-    beforeEach(() => {
-      process.env.NODE_ENV = 'development'
-    })
-
-    it('sets X-Content-Type-Options to nosniff', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['x-content-type-options']).toBe('nosniff')
-    })
-
-    it('sets X-Frame-Options to DENY', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['x-frame-options']).toBe('DENY')
-    })
-
-    it('sets X-XSS-Protection to 0', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['x-xss-protection']).toBe('0')
-    })
-
-    it('sets Referrer-Policy', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['referrer-policy']).toBe('strict-origin-when-cross-origin')
-    })
-
-    it('sets Permissions-Policy', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['permissions-policy']).toBe('camera=(), microphone=(), geolocation=()')
-    })
-  })
-
-  describe('production-only headers', () => {
-    it('sets HSTS in production', () => {
-      process.env.NODE_ENV = 'production'
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['strict-transport-security']).toBe('max-age=31536000; includeSubDomains')
-    })
-
-    it('does not set HSTS in development', () => {
-      process.env.NODE_ENV = 'development'
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['strict-transport-security']).toBeUndefined()
-    })
-
-    it('sets CSP in production', () => {
-      process.env.NODE_ENV = 'production'
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['content-security-policy']).toBeDefined()
-    })
-
-    it('does not set CSP in development', () => {
-      process.env.NODE_ENV = 'development'
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      expect(event._testSetHeaders['content-security-policy']).toBeUndefined()
-    })
-  })
-
-  describe('CSP directives', () => {
-    beforeEach(() => {
-      process.env.NODE_ENV = 'production'
-    })
-
-    it('includes Helcim sources in CSP', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      const csp = event._testSetHeaders['content-security-policy']
-      expect(csp).toContain('myposjs.helcim.com')
-      expect(csp).toContain('api.helcim.com')
-      expect(csp).toContain('secure.helcim.com')
-    })
-
-    it('includes Cloudinary sources in CSP', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      const csp = event._testSetHeaders['content-security-policy']
-      expect(csp).toContain('res.cloudinary.com')
-    })
-
-    it('includes Plausible sources in CSP', () => {
-      const event = createMockEvent({ path: '/' })
-      securityHeadersMiddleware(event)
-      const csp = event._testSetHeaders['content-security-policy']
-      expect(csp).toContain('plausible.io')
-    })
-  })
-})
diff --git a/tests/server/setup.js b/tests/server/setup.js
deleted file mode 100644
index 37575c2..0000000
--- a/tests/server/setup.js
+++ /dev/null
@@ -1,34 +0,0 @@
-import { vi } from 'vitest'
-import {
-  getCookie,
-  setCookie,
-  getMethod,
-  getHeader,
-  getHeaders,
-  setHeader,
-  getRequestURL,
-  createError,
-  defineEventHandler,
-  readBody,
-  getQuery,
-  getRouterParam
-} from 'h3'
-
-// Register real h3 functions as globals so server code that relies on
-// Nitro auto-imports can find them in the test environment.
-vi.stubGlobal('getCookie', getCookie)
-vi.stubGlobal('setCookie', setCookie)
-vi.stubGlobal('getMethod', getMethod)
-vi.stubGlobal('getHeader', getHeader)
-vi.stubGlobal('getHeaders', getHeaders)
-vi.stubGlobal('setHeader', setHeader)
-vi.stubGlobal('getRequestURL', getRequestURL)
-vi.stubGlobal('createError', createError)
-vi.stubGlobal('defineEventHandler', defineEventHandler)
-vi.stubGlobal('readBody', readBody)
-vi.stubGlobal('getQuery', getQuery)
-vi.stubGlobal('getRouterParam', getRouterParam)
-
-vi.stubGlobal('useRuntimeConfig', () => ({
-  jwtSecret: 'test-jwt-secret'
-}))
diff --git a/tests/server/utils/auth.test.js b/tests/server/utils/auth.test.js
deleted file mode 100644
index 815185f..0000000
--- a/tests/server/utils/auth.test.js
+++ /dev/null
@@ -1,142 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../../server/models/member.js', () => ({
-  default: { findById: vi.fn() }
-}))
-
-vi.mock('../../../server/utils/mongoose.js', () => ({
-  connectDB: vi.fn()
-}))
-
-vi.mock('jsonwebtoken', () => ({
-  default: { verify: vi.fn() }
-}))
-
-import Member from '../../../server/models/member.js'
-import jwt from 'jsonwebtoken'
-import { requireAuth, requireAdmin } from '../../../server/utils/auth.js'
-import { createMockEvent } from '../helpers/createMockEvent.js'
-
-describe('requireAuth', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('throws 401 when no auth-token cookie', async () => {
-    const event = createMockEvent({ path: '/api/test' })
-
-    await expect(requireAuth(event)).rejects.toMatchObject({
-      statusCode: 401,
-      statusMessage: 'Authentication required'
-    })
-  })
-
-  it('throws 401 when JWT is invalid', async () => {
-    jwt.verify.mockImplementation(() => { throw new Error('invalid token') })
-
-    const event = createMockEvent({
-      path: '/api/test',
-      cookies: { 'auth-token': 'bad-token' }
-    })
-
-    await expect(requireAuth(event)).rejects.toMatchObject({
-      statusCode: 401,
-      statusMessage: 'Invalid or expired token'
-    })
-  })
-
-  it('throws 401 when member not found in DB', async () => {
-    jwt.verify.mockReturnValue({ memberId: 'member-123' })
-    Member.findById.mockResolvedValue(null)
-
-    const event = createMockEvent({
-      path: '/api/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    await expect(requireAuth(event)).rejects.toMatchObject({
-      statusCode: 401,
-      statusMessage: 'Member not found'
-    })
-  })
-
-  it('throws 403 when member is suspended', async () => {
-    jwt.verify.mockReturnValue({ memberId: 'member-123' })
-    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'suspended', role: 'member' })
-
-    const event = createMockEvent({
-      path: '/api/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    await expect(requireAuth(event)).rejects.toMatchObject({
-      statusCode: 403,
-      statusMessage: 'Account is suspended'
-    })
-  })
-
-  it('throws 403 when member is cancelled', async () => {
-    jwt.verify.mockReturnValue({ memberId: 'member-123' })
-    Member.findById.mockResolvedValue({ _id: 'member-123', status: 'cancelled', role: 'member' })
-
-    const event = createMockEvent({
-      path: '/api/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    await expect(requireAuth(event)).rejects.toMatchObject({
-      statusCode: 403,
-      statusMessage: 'Account is cancelled'
-    })
-  })
-
-  it('returns member when token and status are valid', async () => {
-    const mockMember = { _id: 'member-123', status: 'active', role: 'member', email: 'test@example.com' }
-    jwt.verify.mockReturnValue({ memberId: 'member-123' })
-    Member.findById.mockResolvedValue(mockMember)
-
-    const event = createMockEvent({
-      path: '/api/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    const result = await requireAuth(event)
-    expect(result).toEqual(mockMember)
-  })
-})
-
-describe('requireAdmin', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('throws 403 when member is not admin', async () => {
-    const mockMember = { _id: 'member-123', status: 'active', role: 'member' }
-    jwt.verify.mockReturnValue({ memberId: 'member-123' })
-    Member.findById.mockResolvedValue(mockMember)
-
-    const event = createMockEvent({
-      path: '/api/admin/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    await expect(requireAdmin(event)).rejects.toMatchObject({
-      statusCode: 403,
-      statusMessage: 'Admin access required'
-    })
-  })
-
-  it('returns member when role is admin', async () => {
-    const mockMember = { _id: 'admin-123', status: 'active', role: 'admin', email: 'admin@example.com' }
-    jwt.verify.mockReturnValue({ memberId: 'admin-123' })
-    Member.findById.mockResolvedValue(mockMember)
-
-    const event = createMockEvent({
-      path: '/api/admin/test',
-      cookies: { 'auth-token': 'valid-token' }
-    })
-
-    const result = await requireAdmin(event)
-    expect(result).toEqual(mockMember)
-  })
-})
diff --git a/tests/server/utils/escapeHtml.test.js b/tests/server/utils/escapeHtml.test.js
deleted file mode 100644
index 359c37c..0000000
--- a/tests/server/utils/escapeHtml.test.js
+++ /dev/null
@@ -1,60 +0,0 @@
-import { describe, it, expect } from 'vitest'
-import { escapeHtml } from '../../../server/utils/escapeHtml.js'
-
-describe('escapeHtml', () => {
-  it('escapes ampersands', () => {
-    expect(escapeHtml('a&b')).toBe('a&amp;b')
-  })
-
-  it('escapes less-than signs', () => {
-    expect(escapeHtml('a<b')).toBe('a&lt;b')
-  })
-
-  it('escapes greater-than signs', () => {
-    expect(escapeHtml('a>b')).toBe('a&gt;b')
-  })
-
-  it('escapes double quotes', () => {
-    expect(escapeHtml('a"b')).toBe('a&quot;b')
-  })
-
-  it('escapes single quotes', () => {
-    expect(escapeHtml("a'b")).toBe('a&#39;b')
-  })
-
-  it('escapes all entities in a single string', () => {
-    expect(escapeHtml('<div class="x">&\'test\'')).toBe(
-      '&lt;div class=&quot;x&quot;&gt;&amp;&#39;test&#39;'
-    )
-  })
-
-  it('returns empty string for null', () => {
-    expect(escapeHtml(null)).toBe('')
-  })
-
-  it('returns empty string for undefined', () => {
-    expect(escapeHtml(undefined)).toBe('')
-  })
-
-  it('converts numbers to string', () => {
-    expect(escapeHtml(42)).toBe('42')
-  })
-
-  it('passes safe strings through unchanged', () => {
-    expect(escapeHtml('hello world')).toBe('hello world')
-  })
-
-  it('neutralizes script tag XSS payload', () => {
-    const payload = '<script>alert("xss")</script>'
-    const result = escapeHtml(payload)
-    expect(result).not.toContain('<script>')
-    expect(result).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;')
-  })
-
-  it('neutralizes img onerror XSS payload', () => {
-    const payload = '<img onerror="alert(1)" src=x>'
-    const result = escapeHtml(payload)
-    expect(result).not.toContain('<img')
-    expect(result).toBe('&lt;img onerror=&quot;alert(1)&quot; src=x&gt;')
-  })
-})
diff --git a/vitest.config.js b/vitest.config.js
deleted file mode 100644
index 5bb28eb..0000000
--- a/vitest.config.js
+++ /dev/null
@@ -1,25 +0,0 @@
-import { defineConfig } from 'vitest/config'
-
-export default defineConfig({
-  test: {
-    projects: [
-      {
-        test: {
-          name: 'server',
-          include: ['tests/server/**/*.test.js'],
-          environment: 'node',
-          globals: true,
-          setupFiles: ['./tests/server/setup.js']
-        }
-      },
-      {
-        test: {
-          name: 'client',
-          include: ['tests/client/**/*.test.js'],
-          environment: 'jsdom',
-          globals: true
-        }
-      }
-    ]
-  }
-})