fix: full audit pass — placeholder logs, jq, allowipv6, stale refs

- entrypoint: create proxy-host-placeholder_access.log if no NPM logs
  exist so fail2ban can start before any proxy hosts are configured
- docker-compose: remove :ro from nginx-logs mount (needed for placeholder)
- Dockerfile: add jq (required by cloudflare.conf actionunban)
- cloudflare.conf: replace python3 JSON parsing with jq; clean stale comments
- jail.local + jail.cloudflare.local: add allowipv6 = auto to suppress warning
- jail.cloudflare.local: remove stale .env and docker-compose.cloudflare.yml refs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -33,7 +33,7 @@ services:
       MANUAL_JAIL:   "manual-bans"
       BAN_HIST_FILE: "/data/ban-history.json"
     volumes:
-      - ./data/npm/logs:/nginx-logs:ro
+      - ./data/npm/logs:/nginx-logs
       - f2b-data:/data
       - f2b-config:/etc/fail2ban