fix(api): handle whitespace around q-parameter in Accept negotiation

Round 2 review (#82): CodeRabbit flagged that the round-1 q parsing
used `param.startsWith("q=")` which only matches the compact form.
Per RFC 7230 §3.2.6, optional whitespace is permitted around the `=`
in `parameter = token "=" ( token / quoted-string )`, so a strict
client may send `Accept: text/event-stream ; q = 0`. The prior fix
treated such forms as "no q parameter present" and returned true,
incorrectly opting the client into streaming.

Replaced startsWith check with an indexOf("=") + slice + trim pass:
parse name and value separately so whitespace around the delimiter
no longer hides q. Empty `q=` value now correctly resolves to false
(Number("") = 0, fails q > 0).

Verified before/after:

- text/event-stream ; q = 0    → was true, now false
- text/event-stream ; q = 0.5  → was true (default-q path), now true (real q parsed)
- text/event-stream;q=0        → still false (round-1 case)
- text/event-stream;q=         → was true (empty slice), now false

Tests: api-helpers.test.ts +3 cases covering whitespace q=0,
whitespace q=0.5, and empty q value. 12 → 15 cases.

Author: pescn

backend/src/utils/api-helpers.test.ts

@@ -46,6 +46,18 @@ describe("acceptsEventStream", () => {
     expect(acceptsEventStream(h("text/event-stream;q=0.0"))).toBe(false);
   });
 
+  test("q = 0 with whitespace around = rejects SSE", () => {
+    expect(acceptsEventStream(h("text/event-stream ; q = 0"))).toBe(false);
+  });
+
+  test("q = 0.5 with whitespace around = is accepted", () => {
+    expect(acceptsEventStream(h("text/event-stream ; q = 0.5"))).toBe(true);
+  });
+
+  test("malformed empty q value is treated as not acceptable", () => {
+    expect(acceptsEventStream(h("text/event-stream;q="))).toBe(false);
+  });
+
   test("q=0 in a weighted list rejects SSE", () => {
     expect(
       acceptsEventStream(h("text/event-stream;q=0, application/json")),

backend/src/utils/api-helpers.ts

@@ -64,12 +64,20 @@ export function acceptsEventStream(headers: Headers): boolean {
     if (mediaType !== "text/event-stream") {
       return false;
     }
-    const qParam = params.find((p) => p.startsWith("q="));
-    if (qParam === undefined) {
-      return true;
+    for (const param of params) {
+      const eq = param.indexOf("=");
+      if (eq === -1) {
+        continue;
+      }
+      const name = param.slice(0, eq).trim();
+      if (name !== "q") {
+        continue;
+      }
+      const value = param.slice(eq + 1).trim();
+      const q = Number(value);
+      return Number.isFinite(q) && q > 0;
     }
-    const q = Number(qParam.slice(2));
-    return Number.isFinite(q) && q > 0;
+    return true;
   });
 }