feat: yt-dlp cookie support + surface real failure reason; default workers 4

Bulk --repair on unauthenticated YouTube trips the bot-check (HTTP 429 "Sign
in to confirm you're not a bot"), after which every call fails until the IP
flag clears. Add cookie support so authenticated requests bypass it:

- --cookies FILE / --cookies-from-browser BROWSER (and $YTDLP_COOKIES /
  $YTDLP_COOKIES_FROM_BROWSER for the API container), threaded into every
  yt-dlp invocation (search, probe, download, repair metadata fetch).
- run_yt_dlp_get_metadata now logs yt-dlp's last stderr line (the actual 429 /
  bot-check / network reason) instead of a bare exit code.
- Default --repair workers lowered 8 -> 4 (safe without cookies; raise with).
- compose: optional YTDLP_COOKIES env + commented cookies mount.
- README: how to obtain cookies (Chrome/Firefox, browser-read vs cookies.txt
  export); gitignore cookies.txt.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/docker-compose.yml

@@ -13,5 +13,10 @@ services:
       MUSICFETCH_API_KEY: "${MUSICFETCH_API_KEY}"
       MUSICFETCH_ROOT: "/media/music"
       MUSICFETCH_PORT: "6769"
+      # Optional: authenticated YouTube cookies to avoid bot-check / rate limits.
+      # Mount a cookies.txt below and point this at it (in-container path).
+      YTDLP_COOKIES: "${YTDLP_COOKIES:-}"
     volumes:
       - /media/music:/media/music
+      # Uncomment and set host path to supply cookies (see YTDLP_COOKIES above):
+      # - /path/to/cookies.txt:/cookies.txt:ro