Add login lockout with ntfy alerts and update docs

- Lock accounts for 15 minutes after 5 consecutive failed login attempts
- Send urgent ntfy notification when an account is locked
- Send high-priority ntfy notification on login attempt against a locked account
- Auto-reset lockout on expiry; reset counter on successful login
- Add v2.4 migration for failed_login_attempts and locked_until columns
- Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example
- Update README: lockout row in security table, new ntfy events

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -104,6 +104,8 @@ Yolkbook can send alerts via [ntfy](https://ntfy.sh) for security-relevant event
 |-------|----------|
 | New user registered | default |
 | Admin login | high |
+| Account locked after failed attempts | urgent |
+| Login attempt on locked account | high |
 | User disabled | high |
 | User deleted | urgent |
 | Admin impersonation started | high |
@@ -125,7 +127,8 @@ The gear icon (⚙) in the top-right nav opens the Settings panel:
 | CSRF protection | SameSite=Strict cookie prevents cross-site request forgery without explicit tokens |
 | Password hashing | bcrypt |
 | CORS | Locked to same origin by default; configurable via `ALLOWED_ORIGINS` |
-| Rate limiting | Login: 5 req/min · Register: 3 req/min · Admin endpoints: 10 req/min |
+| Rate limiting | Login: 5 req/min · Register: 3 req/min · Admin endpoints: 10 req/min (nginx) |
+| Login lockout | Account locked for 15 minutes after 5 consecutive failed attempts |
 | Security headers | X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Content-Security-Policy |
 | Subresource Integrity | Chart.js CDN script pinned with SHA-384 hash |
 | Input validation | Server-side via Pydantic; all user-rendered content HTML-escaped |