fix: full audit pass — placeholder logs, jq, allowipv6, stale refs

- entrypoint: create proxy-host-placeholder_access.log if no NPM logs
  exist so fail2ban can start before any proxy hosts are configured
- docker-compose: remove :ro from nginx-logs mount (needed for placeholder)
- Dockerfile: add jq (required by cloudflare.conf actionunban)
- cloudflare.conf: replace python3 JSON parsing with jq; clean stale comments
- jail.local + jail.cloudflare.local: add allowipv6 = auto to suppress warning
- jail.cloudflare.local: remove stale .env and docker-compose.cloudflare.yml refs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/jail.cloudflare.local

@@ -1,24 +1,20 @@
 # ── F2B Control Center — jail configuration (Cloudflare) ─────────────────────
-#
-# Used when CF_EMAIL and CF_APIKEY are set (docker-compose.cloudflare.yml).
-# Identical to jail.local but adds the cloudflare action to every jail so
-# bans are enforced at both the iptables and Cloudflare WAF levels.
-#
-# CF credentials are read from environment variables — no credentials are
-# stored in this file.
+# Installed when CF_EMAIL + CF_APIKEY are set in docker-compose.yml.
+# Adds the Cloudflare WAF action to every jail alongside iptables.
+# Credentials are injected from environment — not stored here.
 # ─────────────────────────────────────────────────────────────────────────────
 
 [DEFAULT]
-bantime  = 1h
-findtime = 10m
-maxretry = 5
+bantime    = 1h
+findtime   = 10m
+maxretry   = 5
+allowipv6  = auto
 
 # Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
 # Updated live by the dashboard — do not edit by hand.
 ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 
-# Cloudflare credentials — injected from environment at runtime.
-# Set CF_EMAIL and CF_APIKEY in your .env file.
+# Cloudflare credentials — set CF_EMAIL and CF_APIKEY in docker-compose.yml.
 cf_email  = %(ENV[CF_EMAIL])s
 cf_apikey = %(ENV[CF_APIKEY])s