Canvas mode: verify and enable provider-backed masked edit

[lidge-jun]

Source

Canvas Mode Phase 5 follow-up from devlog/_plan/0.24-canvas-mode/PHASE-5-edit-with-mask.md, FOLLOW-UP-ISSUES.md, and parent issue #22.

Goal

Turn the current Canvas mask-edit affordance into a verified provider-backed feature.

Current state

• Canvas UI has an Edit with Mask button.
• ui/src/lib/canvas/maskRenderer.ts can render PNG masks from Canvas boxes.
• routes/edit.js validates optional PNG masks, dimensions, size, and alpha.
• lib/oauthProxy.js intentionally returns EDIT_MASK_NOT_SUPPORTED until an upstream mask path is verified.

Scope

• Verify the upstream image edit provider contract for mask input.
• Wire mask payload through the provider only after contract verification.
• Preserve no-mask edit behavior.
• Keep stable error codes for unsupported/invalid masks.
• Never silently degrade masked edit into full-image edit.
• Log only mask presence/size, never raw mask data.

Out of scope

• SVG/PPTX export.
• Alpha checkerboard/export controls.
• New drawing tools.
• Provider switching beyond the existing image edit route.

Acceptance criteria

• Masked edit no longer returns EDIT_MASK_NOT_SUPPORTED in verified supported environments.
• Invalid masks still return stable validation errors.
• Source image and mask dimensions must match.
• Mask PNG must include alpha.
• If upstream rejects mask input, UI surfaces a clear actionable error.
• Tests cover provider payload construction and ensure no prompt-only/full-image fallback occurs.
• Manual smoke test verifies a boxed region edit changes only the intended region as much as the provider allows.