kanidm: remove non-functional metrics scrape target

Kanidm does not expose a Prometheus /metrics endpoint.
The scrape target was causing 404 errors after the TLS
certificate issue was fixed.

Also add SSH command restriction to CLAUDE.md.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/kanidm/default.nix

@@ -55,12 +55,13 @@
     group = "kanidm";
   };
 
-  # Monitoring scrape target
-  homelab.monitoring.scrapeTargets = [
-    {
-      job_name = "kanidm";
-      port = 443;
-      scheme = "https";
-    }
-  ];
+  # Note: Kanidm does not expose Prometheus metrics
+  # If metrics support is added in the future, uncomment:
+  # homelab.monitoring.scrapeTargets = [
+  #   {
+  #     job_name = "kanidm";
+  #     port = 443;
+  #     scheme = "https";
+  #   }
+  # ];
 }