websearch: add SearXNG JSON engine as escape hatch for blocked hosts (#270)

On some machines (commonly Linux boxes and servers) DuckDuckGo and Bing
reject jcode's scraped HTML requests via TLS fingerprinting / IP
reputation and return an anti-bot challenge page with zero results, so
`websearch` appears broken with no actionable error. Reproduced locally:
curl against both DDG and Bing from this host returns anomaly/captcha
pages even with a browser User-Agent.

Rather than the large/risky route of swapping reqwest for a
browser-impersonating TLS stack, add a reliable opt-in escape hatch:
a SearXNG metasearch engine that talks to an instance's JSON API.

Changes:
- jcode-config-types: add `WebSearchEngine::Searxng` (parses "searxng"
  and "searx"), plus `websearch.searxng_url` / `searxng_url_env`
  (default env `JCODE_SEARXNG_URL`).
- jcode-app-core/websearch: implement `search_searxng()` hitting
  `<base>/search?format=json`, with clear errors when no instance is
  configured or the instance has JSON disabled. Extract the response
  mapping into a pure, unit-tested `parse_searxng_results()`. Improve the
  empty-results message to point users at SearXNG / a Bing API key when
  the default engines are being blocked.
- jcode-base: wire `JCODE_SEARXNG_URL` env override and document the
  engine + the TLS-blocking caveat in the generated default config.

Tests: JSON parsing (empty-url filtering, title fallback, snippet),
result-limit capping, and engine alias parsing.