v5.2.16

Consent data-loss guard (Fixed) — A legacy account (signed up before the flags.signupProcessed completion flow existed, so the flag was never set) re-fires /user/signup on every page load until the flag flips. Its consent payload arrives empty (original long gone from localStorage), which previously computed 'revoked' and, on the {merge:true} write, wiped the consent the user actually granted months ago. buildConsentRecord now reads the existing doc's consent and preserves any already-granted status when the payload doesn't explicitly re-grant it. A genuine new grant still applies; an at-signup decline with no prior grant still records the decline. Added two regression tests + a dedicated consent-preserve test account.

Consent schema shape (Changed) — schemas/user/signup/post.js now declares the nested consent.{legal,marketing}.{granted,text} shape instead of a bare passthrough object, documenting the input contract at the schema layer. Sub-objects are optional — omitting one leaves existing consent untouched.

Legacy affiliateCode removal (Removed) — Dropped the dead top-level affiliateCode field from /user/signup (schema + normalize shim + processAffiliate fallback). The route now reads referral codes exclusively from attribution.affiliate.code, matching what UJM and all current consumers send. The legacy bm_api sign-up action is unchanged.