Add login lockout with ntfy alerts and update docs

- Lock accounts for 15 minutes after 5 consecutive failed login attempts
- Send urgent ntfy notification when an account is locked
- Send high-priority ntfy notification on login attempt against a locked account
- Auto-reset lockout on expiry; reset counter on successful login
- Add v2.4 migration for failed_login_attempts and locked_until columns
- Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example
- Update README: lockout row in security table, new ntfy events

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/main.py

@@ -100,6 +100,17 @@ def _run_migrations():
         except Exception:
             db.rollback()  # constraint already exists — safe to ignore
 
+        # v2.4 — login lockout columns
+        for sql in [
+            "ALTER TABLE users ADD COLUMN failed_login_attempts INT NOT NULL DEFAULT 0",
+            "ALTER TABLE users ADD COLUMN locked_until DATETIME NULL",
+        ]:
+            try:
+                db.execute(text(sql))
+                db.commit()
+            except Exception:
+                db.rollback()  # column already exists — safe to ignore
+
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):