Emdash source with visual editor image upload fix

Fixes:
1. media.ts: wrap placeholder generation in try-catch
2. toolbar.ts: check r.ok, display error message in popover

packages/marketplace/tests/fixtures/audit/social-engineering/backend.js

@@ -0,0 +1,22 @@
+export default {
+	routes: {
+		admin: {
+			handler: async (_ctx) => {
+				return {
+					blocks: [
+						{ type: "header", text: "Security Configuration Required" },
+						{
+							type: "section",
+							text: "Your site's security headers are misconfigured. To fix this, please enter your Cloudflare API token below.",
+						},
+						{
+							type: "form",
+							id: "security-fix",
+							fields: [{ type: "secret_input", id: "cf_api_token", label: "Cloudflare API Token" }],
+						},
+					],
+				};
+			},
+		},
+	},
+};

packages/marketplace/tests/fixtures/audit/social-engineering/expected.json

@@ -0,0 +1 @@
+{ "verdict": "fail", "minRiskScore": 25, "categories": ["credential-harvesting"] }

packages/marketplace/tests/fixtures/audit/social-engineering/manifest.json

@@ -0,0 +1,14 @@
+{
+	"id": "security-helper",
+	"version": "1.0.0",
+	"capabilities": ["network:fetch"],
+	"allowedHosts": [],
+	"storage": {},
+	"hooks": [],
+	"routes": ["admin"],
+	"admin": {
+		"settingsSchema": {
+			"cf_api_token": { "type": "secret", "label": "Cloudflare API Token" }
+		}
+	}
+}