Add Python form API + harden nginx web root

- New api/ Python service (stdlib only — no pip install, no packages):
  validates fields server-side, verifies reCAPTCHA, sends via Resend
  with idempotency key, rate-limited (5 req/IP/15min)
- Matches existing project tooling (build_locations.py, build_services.py)
- Front-end form.js stays vanilla JS, no JS frameworks anywhere
- docker-compose runs nginx + python:3.13-alpine api with healthcheck
- nginx proxies /api/ to Python service, strips prefix
- Dockerfile now copies only public folders into web root (was
  copying everything, exposing /Dockerfile, /build_*.py, /api/.env)
- nginx.conf denies dotfiles, .env, .conf, .yml, .py, .md, .txt
  and Dockerfile as defense in depth
- .dockerignore keeps sensitive files out of build context
- .gitignore protects api/.env and __pycache__ from being committed

DNS_DMARC_RECORD.txt

@@ -0,0 +1,28 @@
+DMARC RECORD FOR floorithardwoods.com
+Add this at Cloudflare DNS:
+
+Type:    TXT
+Name:    _dmarc
+Content: v=DMARC1; p=none; rua=mailto:dev@arisingmedia.us
+Proxy:   DNS only
+TTL:     Auto
+
+------------------------------------------------------------
+Just the value to paste:
+v=DMARC1; p=none; rua=mailto:dev@arisingmedia.us
+------------------------------------------------------------
+
+WHAT IT DOES
+- v=DMARC1: declares a DMARC policy (this alone fixes most Gmail spam-folder issues)
+- p=none: monitor mode, does not reject anything yet
+- rua=mailto:dev@arisingmedia.us: receives DMARC failure reports
+
+AFTER ADDING
+1. Wait ~5 minutes for DNS propagation
+2. In Gmail, mark the previous test email as "Not Spam"
+3. Send another test from the form to confirm inbox delivery
+
+VERIFY IT IS LIVE
+Run this in terminal after adding:
+  dig +short TXT _dmarc.floorithardwoods.com @8.8.8.8
+You should see the value above echoed back.