feat: integrate Cloudflare Turnstile for Captcha validation

[GTPSHAX]

Overview

This pull request introduces Cloudflare Turnstile as an additional CAPTCHA provider, offering a user-friendly alternative to hCaptcha. The integration includes necessary environment variable schemas, frontend exposure of site keys, and critical security header updates to allow Cloudflare's assets to load correctly.

Key Changes

Security & Headers

Updated the helmet.js middleware configuration in both the API and Web apps. To prevent Content Security Policy (CSP) violations, the following directives now include https://challenges.cloudflare.com:

• frame-src
• script-src
• connect-src

Configuration & Environment

• Environment Variables: Added CLOUDFLARE_TURNSTILE_SITE_KEY and CLOUDFLARE_TURNSTILE_SECRET_KEY to all .env examples and validation schemas.
• Frontend Access: The CLOUDFLARE_TURNSTILE_SITE_KEY is now passed to the frontend through the META object in the home route, enabling the client-side widget to initialize.

API & Docs

• Contextual Validation: The handleGenerateDocx function now receives the full request object, allowing for more robust validation (e.g., checking CAPTCHA tokens directly within the handler).
• Documentation Sync: Updated auto-generated documentation for openai-wrapper and vm-runner to align with recent source code shifts.

How to Test

1. Environment Setup: Add your Cloudflare Turnstile keys to your local .env file.
2. Verification:

• Ensure the Turnstile widget renders on the frontend without CSP errors in the console.
• Validate that a successful challenge allows the generate-docx request to proceed.

3. Fallback: Ensure hCaptcha functionality remains unaffected if selected as the provider.

Screenshots/Video

(N/A - Backend and configuration logic)