flaskpaste: initial commit with security hardening

Features:
- REST API for text/binary pastes with MIME detection
- Client certificate auth via X-SSL-Client-SHA1 header
- SQLite with WAL mode for concurrent access
- Automatic paste expiry with LRU cleanup

Security:
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Cache-Control: no-store for sensitive responses
- X-Request-ID tracing for log correlation
- X-Proxy-Secret validation for defense-in-depth
- Parameterized queries, input validation
- Size limits (3 MiB anon, 50 MiB auth)

Includes /health endpoint, container support, and 70 tests.

Containerfile

@@ -0,0 +1,43 @@
+# FlaskPaste Container Image
+# Build: podman build -t flaskpaste .
+# Run:   podman run -d -p 5000:5000 -v flaskpaste-data:/app/data flaskpaste
+
+FROM python:3.11-slim
+
+LABEL maintainer="FlaskPaste"
+LABEL description="Lightweight secure pastebin REST API"
+
+# Create non-root user
+RUN groupadd -r flaskpaste && useradd -r -g flaskpaste flaskpaste
+
+# Set working directory
+WORKDIR /app
+
+# Install dependencies first (cache layer)
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt gunicorn
+
+# Copy application code
+COPY app/ ./app/
+COPY wsgi.py .
+
+# Create data directory
+RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app
+
+# Switch to non-root user
+USER flaskpaste
+
+# Environment defaults
+ENV FLASK_ENV=production
+ENV FLASKPASTE_DB=/app/data/pastes.db
+ENV PYTHONUNBUFFERED=1
+
+# Expose port
+EXPOSE 5000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')" || exit 1
+
+# Run with gunicorn
+CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--access-logfile", "-", "wsgi:application"]