feat: yt-dlp cookie support + surface real failure reason; default workers 4

Bulk --repair on unauthenticated YouTube trips the bot-check (HTTP 429 "Sign
in to confirm you're not a bot"), after which every call fails until the IP
flag clears. Add cookie support so authenticated requests bypass it:

- --cookies FILE / --cookies-from-browser BROWSER (and $YTDLP_COOKIES /
  $YTDLP_COOKIES_FROM_BROWSER for the API container), threaded into every
  yt-dlp invocation (search, probe, download, repair metadata fetch).
- run_yt_dlp_get_metadata now logs yt-dlp's last stderr line (the actual 429 /
  bot-check / network reason) instead of a bare exit code.
- Default --repair workers lowered 8 -> 4 (safe without cookies; raise with).
- compose: optional YTDLP_COOKIES env + commented cookies mount.
- README: how to obtain cookies (Chrome/Firefox, browser-read vs cookies.txt
  export); gitignore cookies.txt.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/test_playlist.py

@@ -132,3 +132,13 @@ def test_yt_download_single_word_tags_injected_literally(monkeypatch):
     assert "Cochise" in cmd
     # A hit album must not be clobbered by the Unknown-Album default.
     assert "%(album|Unknown Album)s:%(meta_album)s" not in cmd
+
+
+def test_yt_download_passes_cookies(monkeypatch):
+    captured = {}
+    monkeypatch.setattr(mf, "COOKIES_FILE", "/cookies.txt")
+    monkeypatch.setattr(mf, "COOKIES_FROM_BROWSER", "")
+    monkeypatch.setattr(mf.os, "makedirs", lambda *a, **k: None)
+    monkeypatch.setattr(mf.subprocess, "run", lambda cmd, **k: captured.update(cmd=cmd) or _CP(""))
+    mf.yt_download("u", "/tmp/x", "best", False)
+    assert "--cookies" in captured["cmd"] and "/cookies.txt" in captured["cmd"]