Add ntfy push notifications for security-relevant events

Sends alerts on admin login, new registrations, user disable/delete, and
impersonation. NTFY_URL and NTFY_TOKEN are optional — leave blank to disable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -62,6 +62,8 @@ A self-hosted, multi-user web app for backyard chicken keepers to track egg prod
    |----------|---------|-------------|
    | `SECURE_COOKIES` | `true` | Set to `false` for local HTTP testing only; leave `true` when behind HTTPS |
    | `ALLOWED_ORIGINS` | *(empty)* | Comma-separated list of external origins allowed to call the API. Leave empty if accessed only through the bundled nginx frontend. |
+   | `NTFY_URL` | *(empty)* | ntfy topic URL for push notifications (e.g. `https://ntfy.sh/your-secret-topic`). Leave empty to disable. |
+   | `NTFY_TOKEN` | *(empty)* | Bearer token for authenticated ntfy topics. Leave empty if your topic is public or not needed. |
 
 3. Start the stack:
    ```bash
@@ -94,6 +96,20 @@ Accessible at `/admin` for admin accounts. Features:
 
 When impersonating a user, an amber banner appears in the nav with a **Return to Admin** button. The original admin session is preserved server-side — no admin credentials are stored in the browser during impersonation.
 
+## Push Notifications
+
+Yolkbook can send alerts via [ntfy](https://ntfy.sh) for security-relevant events. Set `NTFY_URL` in `.env` to enable.
+
+| Event | Priority |
+|-------|----------|
+| New user registered | default |
+| Admin login | high |
+| User disabled | high |
+| User deleted | urgent |
+| Admin impersonation started | high |
+
+Use `https://ntfy.sh/your-secret-topic` for the hosted service or a self-hosted ntfy URL. Set `NTFY_TOKEN` if your topic requires authentication. Notifications are fire-and-forget — a failed delivery is logged but never interrupts a request.
+
 ## User Settings
 
 The gear icon (⚙) in the top-right nav opens the Settings panel: