add entropy enforcement for optional encryption requirement

Shannon entropy check rejects low-entropy content when MIN_ENTROPY > 0.
Encrypted data ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 bits/byte.
Configurable via FLASKPASTE_MIN_ENTROPY environment variable.

documentation/api.md

@@ -343,6 +343,46 @@ export FLASKPASTE_DEDUP_MAX=3        # Max duplicates per window (default: 3)
 ## Entropy Enforcement
 
 FlaskPaste can require minimum content entropy to enforce client-side encryption.
+
+**How it works:**
+- Shannon entropy is calculated for submitted content (bits per byte)
+- Encrypted/random data: ~7.5-8.0 bits/byte
+- English text: ~4.0-5.0 bits/byte
+- Content below threshold is rejected with 400
+
+**Configuration:**
+```bash
+export FLASKPASTE_MIN_ENTROPY=7.0  # Require ~encryption-level entropy (0=disabled)
+```
+
+**Response (400 Bad Request):**
+```json
+{
+  "error": "Content entropy too low",
+  "entropy": 4.12,
+  "min_entropy": 7.0,
+  "hint": "Encrypt content before uploading (-e flag in fpaste)"
+}
+```
+
+**Caveats:**
+- Small data (<256 bytes) has naturally lower measured entropy even when encrypted
+- Compressed data (gzip, zip) also has high entropy — not distinguishable from encrypted
+- This is a heuristic, not cryptographic proof of encryption
+
+**Recommended thresholds:**
+| Threshold | Effect |
+|-----------|--------|
+| 0 | Disabled (default) |
+| 5.0 | Blocks most plaintext |
+| 6.0 | Requires encryption or compression |
+| 7.0 | Requires encryption + sufficient size |
+
+---
+
+## Proof-of-Work
+
+FlaskPaste includes an optional proof-of-work system to prevent automated spam.
 
 **How it works:**
 1. Client requests a challenge via `GET /challenge`