S1. Sign-up & activation
Create an account, activate it with the emailed token, verify token single-use and /me state.
S2. Sign-in & session
Authenticate with email/password, verify /me shape on a fresh account, and confirm sign-out revokes the token.
S3. Password reset
Run the ask → token → update-password flow and verify ALL bearer tokens are revoked.
S4. Email change
Change the account email via the two-step token flow; verify conflict handling does not burn the token.
S5. Profile creation
Check username availability rules and create the one-and-only profile for an account.
S6. Profile update
Verify PATCH /profile/update field-by-field semantics, null coercion, unknown-field tolerance, and payload limits.
S7. Profile visibility
A private profile disappears from public lookup but stays visible to its owner.
S8. Avatar & media boxes
Exercise avatar replacement, media-box upload limits, and both delete-by-id and delete-by-url paths.
S9. Analytics ingestion
Fire every event type at the public tracking endpoint and confirm validation, privacy, and throttling.
S10. Analytics dashboard
Verify totals, zero-filled series, top_links, range validation, and unique-visitor dedupe on GET /profile/analytics.
S11. Featured profiles & rich URL
Check the featured listing (backend-managed flag) and the rich-url scraper including its FAILED-not-error contract.
S12. Billing negative paths
Exercise the Stripe endpoints without Stripe credentials: auth gate, price whitelist, webhook signature.