=== API negative-path checks ===
-- unsafe prompt before provider (no image, should be 400 UNSAFE_PROMPT_BLOCKED)
{"ok":false,"code":"UNSAFE_PROMPT_BLOCKED","message":"This request matches a blocked safety category."}
HTTP:400
-- safe prompt without image (should be 400 IMAGE_REQUIRED, proving validation before provider)
{"ok":false,"code":"IMAGE_REQUIRED","message":"Upload a JPG, PNG, or WebP source image before generating."}
HTTP:400
-- credits
{"authenticated":false,"user":null,"plan":"free","daily_limit":2,"free_remaining":2,"paid_remaining":0,"remaining":2,"paid_enabled":true,"checkout":{"monthly":"/api/checkout/stripe?plan=monthly","yearly":"/api/checkout/stripe?plan=yearly","credit_pack":"/api/checkout/stripe?plan=credit_pack"}}\n-- auth login headers
HTTP/2 302 
location: https://accounts.google.com/o/oauth2/v2/auth?client_id=898368882649-arbj842lpgra1o23ms9d99bc4v7b04p2.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Faieditorrsp.net%2Fapi%2Fauth%2Fcallback%2Fgoogle&response_type=code&scope=openid+email+profile&state=state_01ZO3fGbOK4rg1uVZhVvfA&prompt=select_account
set-cookie: aieditorrsp_oauth_state=%7B%22state%22%3A%22state_01ZO3fGbOK4rg1uVZhVvfA%22%2C%22returnTo%22%3A%22%2Fpricing%22%7D; Path=/; Max-Age=600; HttpOnly; Secure; SameSite=Lax
set-cookie: aieditorrsp_checkout_plan=; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=Lax
-- checkout anonymous monthly
HTTP/2 302 
location: https://aieditorrsp.net/api/auth/login?return_to=%2Fapi%2Fcheckout%2Fstripe%3Fplan%3Dmonthly
-- webhook method existence
HTTP/2 405