add proof-of-work spam prevention

Clients must solve a SHA256 hash puzzle before paste creation.
Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default).
Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).

app/config.py

@@ -33,6 +33,14 @@ class Config:
     # X-Proxy-Secret header, providing defense-in-depth against header spoofing.
     TRUSTED_PROXY_SECRET = os.environ.get("FLASKPASTE_PROXY_SECRET", "")
 
+    # Proof-of-work spam prevention
+    # Clients must solve a computational puzzle before paste creation.
+    # Difficulty is number of leading zero bits required in hash (0 = disabled).
+    POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_POW_DIFFICULTY", "16"))
+    POW_CHALLENGE_TTL = int(os.environ.get("FLASKPASTE_POW_TTL", "300"))  # 5 minutes
+    # Secret key for signing challenges (auto-generated if not set)
+    POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "")
+
 
 class DevelopmentConfig(Config):
     """Development configuration."""
@@ -56,6 +64,9 @@ class TestingConfig(Config):
     CONTENT_DEDUP_WINDOW = 1
     CONTENT_DEDUP_MAX = 100
 
+    # Disable PoW for most tests (easier testing)
+    POW_DIFFICULTY = 0
+
 
 config = {
     "development": DevelopmentConfig,