feat: add Prometheus metrics endpoint and Docker image (PLAN.md 4.2)

Add internal/metrics package with dedicated Prometheus registry exposing
SSH connection, auth attempt, session, and build info metrics. Wire into
SSH server (4 instrumentation points) and web server (/metrics endpoint).
Add dockerImage output to flake.nix via dockerTools.buildLayeredImage.
Bump version to 0.7.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/metrics/metrics_test.go

@@ -0,0 +1,62 @@
+package metrics
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestNew(t *testing.T) {
+	m := New("1.2.3")
+
+	// Gather all metrics and check expected names exist.
+	families, err := m.registry.Gather()
+	if err != nil {
+		t.Fatalf("gather: %v", err)
+	}
+
+	want := map[string]bool{
+		"oubliette_ssh_connections_total":    false,
+		"oubliette_ssh_connections_active":   false,
+		"oubliette_auth_attempts_total":      false,
+		"oubliette_sessions_total":           false,
+		"oubliette_sessions_active":          false,
+		"oubliette_session_duration_seconds": false,
+		"oubliette_build_info":               false,
+	}
+
+	for _, f := range families {
+		if _, ok := want[f.GetName()]; ok {
+			want[f.GetName()] = true
+		}
+	}
+
+	for name, found := range want {
+		if !found {
+			t.Errorf("metric %q not registered", name)
+		}
+	}
+}
+
+func TestHandler(t *testing.T) {
+	m := New("1.2.3")
+
+	req := httptest.NewRequest(http.MethodGet, "/metrics", nil)
+	w := httptest.NewRecorder()
+	m.Handler().ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want 200", w.Code)
+	}
+
+	body, err := io.ReadAll(w.Body)
+	if err != nil {
+		t.Fatalf("reading body: %v", err)
+	}
+
+	if !strings.Contains(string(body), `oubliette_build_info{version="1.2.3"} 1`) {
+		t.Errorf("response should contain build_info metric, got:\n%s", body)
+	}
+}