Add Python form API + harden nginx web root

- New api/ Python service (stdlib only — no pip install, no packages):
  validates fields server-side, verifies reCAPTCHA, sends via Resend
  with idempotency key, rate-limited (5 req/IP/15min)
- Matches existing project tooling (build_locations.py, build_services.py)
- Front-end form.js stays vanilla JS, no JS frameworks anywhere
- docker-compose runs nginx + python:3.13-alpine api with healthcheck
- nginx proxies /api/ to Python service, strips prefix
- Dockerfile now copies only public folders into web root (was
  copying everything, exposing /Dockerfile, /build_*.py, /api/.env)
- nginx.conf denies dotfiles, .env, .conf, .yml, .py, .md, .txt
  and Dockerfile as defense in depth
- .dockerignore keeps sensitive files out of build context
- .gitignore protects api/.env and __pycache__ from being committed

nginx.conf

@@ -4,6 +4,31 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Deny dotfiles, configs, scripts, source — defense in depth
+    location ~ /\. {
+        deny all;
+        return 404;
+    }
+    location ~* \.(env|env\.example|conf|yml|yaml|py|pyc|md|txt|sh|sql|log|bak|old|swp|dockerfile)$ {
+        deny all;
+        return 404;
+    }
+    location = /Dockerfile {
+        deny all;
+        return 404;
+    }
+
+    # API proxy — strip /api/ prefix, forward to Node.js service
+    location /api/ {
+        proxy_pass         http://api:3001/;
+        proxy_http_version 1.1;
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_read_timeout 10s;
+        proxy_connect_timeout 5s;
+    }
+
     # Flat HTML — serve /locations/buffalo as /locations/buffalo.html
     location / {
         try_files $uri $uri/ $uri.html =404;