feat: add GeoIP country lookup with embedded DB-IP Lite database (PLAN.md 4.3)

Embeds a DB-IP Lite country MMDB (~5MB) in the binary via go:embed,
keeping the single-binary deployment story clean. Country codes are
stored alongside login attempts and sessions, shown in the dashboard
(Top IPs, Top Countries card, Recent/Active Sessions, session detail).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/storage/sqlite.go

@@ -34,28 +34,29 @@ func NewSQLiteStore(dbPath string) (*SQLiteStore, error) {
 	return &SQLiteStore{db: db}, nil
 }
 
-func (s *SQLiteStore) RecordLoginAttempt(ctx context.Context, username, password, ip string) error {
+func (s *SQLiteStore) RecordLoginAttempt(ctx context.Context, username, password, ip, country string) error {
 	now := time.Now().UTC().Format(time.RFC3339)
 	_, err := s.db.ExecContext(ctx, `
-		INSERT INTO login_attempts (username, password, ip, count, first_seen, last_seen)
-		VALUES (?, ?, ?, 1, ?, ?)
+		INSERT INTO login_attempts (username, password, ip, country, count, first_seen, last_seen)
+		VALUES (?, ?, ?, ?, 1, ?, ?)
 		ON CONFLICT(username, password, ip) DO UPDATE SET
 			count = count + 1,
-			last_seen = ?`,
-		username, password, ip, now, now, now)
+			last_seen = ?,
+			country = ?`,
+		username, password, ip, country, now, now, now, country)
 	if err != nil {
 		return fmt.Errorf("recording login attempt: %w", err)
 	}
 	return nil
 }
 
-func (s *SQLiteStore) CreateSession(ctx context.Context, ip, username, shellName string) (string, error) {
+func (s *SQLiteStore) CreateSession(ctx context.Context, ip, username, shellName, country string) (string, error) {
 	id := uuid.New().String()
 	now := time.Now().UTC().Format(time.RFC3339)
 	_, err := s.db.ExecContext(ctx, `
-		INSERT INTO sessions (id, ip, username, shell_name, connected_at)
-		VALUES (?, ?, ?, ?, ?)`,
-		id, ip, username, shellName, now)
+		INSERT INTO sessions (id, ip, username, shell_name, country, connected_at)
+		VALUES (?, ?, ?, ?, ?, ?)`,
+		id, ip, username, shellName, country, now)
 	if err != nil {
 		return "", fmt.Errorf("creating session: %w", err)
 	}
@@ -101,9 +102,9 @@ func (s *SQLiteStore) GetSession(ctx context.Context, sessionID string) (*Sessio
 	var humanScore sql.NullFloat64
 
 	err := s.db.QueryRowContext(ctx, `
-		SELECT id, ip, username, shell_name, connected_at, disconnected_at, human_score
+		SELECT id, ip, country, username, shell_name, connected_at, disconnected_at, human_score
 		FROM sessions WHERE id = ?`, sessionID).Scan(
-		&sess.ID, &sess.IP, &sess.Username, &sess.ShellName,
+		&sess.ID, &sess.IP, &sess.Country, &sess.Username, &sess.ShellName,
 		&connectedAt, &disconnectedAt, &humanScore,
 	)
 	if err == sql.ErrNoRows {
@@ -288,7 +289,50 @@ func (s *SQLiteStore) GetTopPasswords(ctx context.Context, limit int) ([]TopEntr
 }
 
 func (s *SQLiteStore) GetTopIPs(ctx context.Context, limit int) ([]TopEntry, error) {
-	return s.queryTopN(ctx, "ip", limit)
+	rows, err := s.db.QueryContext(ctx, `
+		SELECT ip, country, SUM(count) AS total
+		FROM login_attempts
+		GROUP BY ip
+		ORDER BY total DESC
+		LIMIT ?`, limit)
+	if err != nil {
+		return nil, fmt.Errorf("querying top IPs: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	var entries []TopEntry
+	for rows.Next() {
+		var e TopEntry
+		if err := rows.Scan(&e.Value, &e.Country, &e.Count); err != nil {
+			return nil, fmt.Errorf("scanning top IPs: %w", err)
+		}
+		entries = append(entries, e)
+	}
+	return entries, rows.Err()
+}
+
+func (s *SQLiteStore) GetTopCountries(ctx context.Context, limit int) ([]TopEntry, error) {
+	rows, err := s.db.QueryContext(ctx, `
+		SELECT country, SUM(count) AS total
+		FROM login_attempts
+		WHERE country != ''
+		GROUP BY country
+		ORDER BY total DESC
+		LIMIT ?`, limit)
+	if err != nil {
+		return nil, fmt.Errorf("querying top countries: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	var entries []TopEntry
+	for rows.Next() {
+		var e TopEntry
+		if err := rows.Scan(&e.Value, &e.Count); err != nil {
+			return nil, fmt.Errorf("scanning top countries: %w", err)
+		}
+		entries = append(entries, e)
+	}
+	return entries, rows.Err()
 }
 
 func (s *SQLiteStore) queryTopN(ctx context.Context, column string, limit int) ([]TopEntry, error) {
@@ -324,7 +368,7 @@ func (s *SQLiteStore) queryTopN(ctx context.Context, column string, limit int) (
 }
 
 func (s *SQLiteStore) GetRecentSessions(ctx context.Context, limit int, activeOnly bool) ([]Session, error) {
-	query := `SELECT id, ip, username, shell_name, connected_at, disconnected_at, human_score FROM sessions`
+	query := `SELECT id, ip, country, username, shell_name, connected_at, disconnected_at, human_score FROM sessions`
 	if activeOnly {
 		query += ` WHERE disconnected_at IS NULL`
 	}
@@ -342,7 +386,7 @@ func (s *SQLiteStore) GetRecentSessions(ctx context.Context, limit int, activeOn
 		var connectedAt string
 		var disconnectedAt sql.NullString
 		var humanScore sql.NullFloat64
-		if err := rows.Scan(&s.ID, &s.IP, &s.Username, &s.ShellName, &connectedAt, &disconnectedAt, &humanScore); err != nil {
+		if err := rows.Scan(&s.ID, &s.IP, &s.Country, &s.Username, &s.ShellName, &connectedAt, &disconnectedAt, &humanScore); err != nil {
 			return nil, fmt.Errorf("scanning session: %w", err)
 		}
 		s.ConnectedAt, _ = time.Parse(time.RFC3339, connectedAt)