feat(member): account/profile polish + tier upgrade flow

- Timezone: curated USelectMenu dropdown (app/config/timezones.js), preserves unknown saved values
- Profile save now uses useToast() for success/error; remove inline save banner
- Nav onboarding dot nudged down 1px for optical alignment with lowercase text
- Onboarding: skip a suggestion with POST /api/onboarding/track {skip}; member.onboarding.skipped map; does not affect graduation
- CirclePicker takes :saved-value so 'Current' badge stays until save completes
- PrivacyToggle is binary (USwitch labeled Private); member schema enum reduced to ['members','private']; zod coerces legacy 'public'
- New /member/payment-setup page: HelcimPay $0 verify + update-contribution, wired from account.vue via requiresPaymentSetup redirect
- Helcim portal: NUXT_PUBLIC_HELCIM_PORTAL_URL env + account.vue 'Manage billing in Helcim' link
- Migration script: scripts/migrate-privacy-public-to-members.js

tests/server/api/onboarding-status.test.js

@@ -49,10 +49,41 @@ describe('GET /api/onboarding/status', () => {
         hasEngagedBoard: false,
         hasClickedWiki: false,
       },
+      skipped: {
+        profileTags: false,
+        visitEvent: false,
+        board: false,
+        wiki: false,
+      },
       completedAt: null,
     })
   })
 
+  // Skip flags surface from member.onboarding.skipped
+  it('returns skipped map from member document', async () => {
+    requireAuth.mockResolvedValue({
+      _id: 'member-1',
+      craftTags: [],
+      onboarding: {
+        completedAt: null,
+        eventPageVisited: false,
+        boardPageVisited: false,
+        wikiClicked: false,
+        skipped: { profileTags: true, wiki: true },
+      },
+    })
+
+    const event = createMockEvent({ method: 'GET', path: '/api/onboarding/status' })
+    const result = await handler(event)
+
+    expect(result.skipped).toEqual({
+      profileTags: true,
+      visitEvent: false,
+      board: false,
+      wiki: true,
+    })
+  })
+
   // 1.2: hasProfileTags true when craft tags present
   it('hasProfileTags is true when member has craft tags', async () => {
     requireAuth.mockResolvedValue({

tests/server/api/onboarding-track.test.js

@@ -206,6 +206,45 @@ describe('POST /api/onboarding/track', () => {
     )
   })
 
+  // Skip: marks suggestion skipped without touching underlying goal
+  it('marks the suggestion skipped when skip is provided', async () => {
+    validateBody.mockResolvedValue({ skip: 'wiki' })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/onboarding/track',
+      body: { skip: 'wiki' },
+    })
+
+    const result = await handler(event)
+
+    expect(result).toEqual({ success: true })
+    expect(Member.findByIdAndUpdate).toHaveBeenCalledWith('member-1', {
+      $set: { 'onboarding.skipped.wiki': true },
+    })
+    // No goal log when skipping
+    expect(logActivity).not.toHaveBeenCalled()
+  })
+
+  it('no-ops skip path when already graduated', async () => {
+    requireAuth.mockResolvedValue({
+      _id: 'member-1',
+      onboarding: { completedAt: new Date() },
+    })
+    validateBody.mockResolvedValue({ skip: 'board' })
+
+    const event = createMockEvent({
+      method: 'POST',
+      path: '/api/onboarding/track',
+      body: { skip: 'board' },
+    })
+
+    const result = await handler(event)
+
+    expect(result).toEqual({ success: true })
+    expect(Member.findByIdAndUpdate).not.toHaveBeenCalled()
+  })
+
   // 2.15: Requires auth (401)
   it('returns 401 when not authenticated', async () => {
     requireAuth.mockRejectedValue(

tests/server/api/validation.test.js

@@ -180,9 +180,15 @@ describe('memberProfileUpdateSchema', () => {
     expect(result.success).toBe(false)
   })
 
-  it('accepts valid privacy values', () => {
+  it('accepts valid binary privacy values', () => {
+    expect(memberProfileUpdateSchema.safeParse({ bioPrivacy: 'members' }).success).toBe(true)
+    expect(memberProfileUpdateSchema.safeParse({ bioPrivacy: 'private' }).success).toBe(true)
+  })
+
+  it('coerces legacy "public" privacy value to "members"', () => {
     const result = memberProfileUpdateSchema.safeParse({ bioPrivacy: 'public' })
     expect(result.success).toBe(true)
+    expect(result.data.bioPrivacy).toBe('members')
   })
 })