feat: user service

TESTING.md

@@ -368,10 +368,9 @@ The testing plan follows this service order:
 
   * create user
   * find by email
-  * normalized email uniqueness
+  * exact-after-trim e-mail storage and lookup semantics
   * generated default `race_name` for new users
   * `race_name` uniqueness and confusable-substitution policy
-  * role assignment
   * tariff/entitlement fields
 * Profile tests:
 
@@ -400,7 +399,7 @@ The testing plan follows this service order:
   * resolve existing/creatable/blocked decision for auth
   * `ensure-by-email` create-only `registration_context` semantics
   * current `declared_country` read/write path
-  * exact lookup by `user_id`, normalized `email`, and `race_name`
+  * exact lookup by `user_id`, exact-after-trim `email`, and exact `race_name`
   * paginated filtered listing with deterministic ordering
 * Storage and API contract tests:
 
@@ -417,13 +416,15 @@ The testing plan follows this service order:
   * blocked-by-policy outcome
 * `Gateway <-> User`
 
-  * authenticated profile read
-  * authenticated allowed profile update
-  * tariff and settings read paths
+  * authenticated `user.account.get`
+  * authenticated successful `user.profile.update`
+  * authenticated successful `user.settings.update`
+  * `profile_update_block` conflict projection
+  * invalid-request projection for malformed self-service payload values
 * `Gateway <-> Auth / Session <-> User`
 
   * first registration by email
-  * repeat login by same email
+  * repeat login by same email without overwriting create-only settings
   * blocked email/user behavior
 
 ### Regression tests to keep from this stage onward