feat: add minimal web dashboard with stats, top credentials, and sessions

Implements Phase 1.5 — an embedded web UI using Go templates, Pico CSS
(dark theme), and htmx for auto-refreshing stats and active sessions.

Adds read query methods to the Store interface (GetDashboardStats,
GetTopUsernames, GetTopPasswords, GetTopIPs, GetRecentSessions) with
implementations for both SQLite and MemoryStore. Introduces the
internal/web package with server, handlers, templates, and tests.
Web server is opt-in via [web] config section and runs alongside
SSH with graceful shutdown. Bumps version to 0.2.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/storage/memstore.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"context"
+	"sort"
 	"sync"
 	"time"
 
@@ -138,6 +139,93 @@ func (m *MemoryStore) DeleteRecordsBefore(_ context.Context, cutoff time.Time) (
 	return total, nil
 }
 
+func (m *MemoryStore) GetDashboardStats(_ context.Context) (*DashboardStats, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	stats := &DashboardStats{}
+	ips := make(map[string]struct{})
+	for _, a := range m.LoginAttempts {
+		stats.TotalAttempts += int64(a.Count)
+		ips[a.IP] = struct{}{}
+	}
+	stats.UniqueIPs = int64(len(ips))
+	stats.TotalSessions = int64(len(m.Sessions))
+	for _, s := range m.Sessions {
+		if s.DisconnectedAt == nil {
+			stats.ActiveSessions++
+		}
+	}
+	return stats, nil
+}
+
+func (m *MemoryStore) GetTopUsernames(_ context.Context, limit int) ([]TopEntry, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.topN("username", limit), nil
+}
+
+func (m *MemoryStore) GetTopPasswords(_ context.Context, limit int) ([]TopEntry, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.topN("password", limit), nil
+}
+
+func (m *MemoryStore) GetTopIPs(_ context.Context, limit int) ([]TopEntry, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.topN("ip", limit), nil
+}
+
+// topN aggregates login attempts by the given field and returns the top N. Must be called with m.mu held.
+func (m *MemoryStore) topN(field string, limit int) []TopEntry {
+	counts := make(map[string]int64)
+	for _, a := range m.LoginAttempts {
+		var key string
+		switch field {
+		case "username":
+			key = a.Username
+		case "password":
+			key = a.Password
+		case "ip":
+			key = a.IP
+		}
+		counts[key] += int64(a.Count)
+	}
+
+	entries := make([]TopEntry, 0, len(counts))
+	for k, v := range counts {
+		entries = append(entries, TopEntry{Value: k, Count: v})
+	}
+	sort.Slice(entries, func(i, j int) bool {
+		return entries[i].Count > entries[j].Count
+	})
+	if limit > 0 && len(entries) > limit {
+		entries = entries[:limit]
+	}
+	return entries
+}
+
+func (m *MemoryStore) GetRecentSessions(_ context.Context, limit int, activeOnly bool) ([]Session, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	var sessions []Session
+	for _, s := range m.Sessions {
+		if activeOnly && s.DisconnectedAt != nil {
+			continue
+		}
+		sessions = append(sessions, *s)
+	}
+	sort.Slice(sessions, func(i, j int) bool {
+		return sessions[i].ConnectedAt.After(sessions[j].ConnectedAt)
+	})
+	if limit > 0 && len(sessions) > limit {
+		sessions = sessions[:limit]
+	}
+	return sessions, nil
+}
+
 func (m *MemoryStore) Close() error {
 	return nil
 }