The /api/v1/discount/:code endpoint now checks allowed_emails when
an email is provided. If the email isn't in the allowed list, returns
valid:false so the frontend doesn't show a fake discount. The promo
field is cleared and unlocked if validation fails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>