Security hardening: go-live review fixes

- TV tokens upgraded from 4 to 6 digits; Regen Token button in Admin
- Nginx rate limiting on TV dashboard and WebSocket endpoints
- Login lockout after 5 failed attempts (15 min); clears on admin password reset
- HSTS header added; CSP unsafe-inline removed from script-src; CORS restricted to explicit methods/headers
- Dependency CVE fixes: PyJWT 2.12.0, aiomysql 0.3.0, cryptography 46.0.5, python-multipart 0.0.22
- datetime.utcnow() replaced with datetime.now(timezone.utc) throughout
- SQL identifier whitelist for startup migration queries
- README updated: security notes section, lockout docs, token regen, NPM proxy guidance

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/routers/children.py

@@ -52,7 +52,7 @@ async def list_children(
 
 async def _generate_tv_token(db: AsyncSession) -> int:
     while True:
-        token = random.randint(1000, 9999)
+        token = random.randint(100000, 999999)
         result = await db.execute(select(Child).where(Child.tv_token == token))
         if not result.scalar_one_or_none():
             return token
@@ -134,6 +134,24 @@ async def update_strikes(
     return child
 
 
+@router.post("/{child_id}/regenerate-token", response_model=ChildOut)
+async def regenerate_tv_token(
+    child_id: int,
+    current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    result = await db.execute(
+        select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
+    )
+    child = result.scalar_one_or_none()
+    if not child:
+        raise HTTPException(status_code=404, detail="Child not found")
+    child.tv_token = await _generate_tv_token(db)
+    await db.commit()
+    await db.refresh(child)
+    return child
+
+
 @router.delete("/{child_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_child(
     child_id: int,