feat: add Prometheus metrics endpoint and Docker image (PLAN.md 4.2)

Add internal/metrics package with dedicated Prometheus registry exposing
SSH connection, auth attempt, session, and build info metrics. Wire into
SSH server (4 instrumentation points) and web server (/metrics endpoint).
Add dockerImage output to flake.nix via dockerTools.buildLayeredImage.
Bump version to 0.7.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/web/web.go

@@ -20,7 +20,8 @@ type Server struct {
 }
 
 // NewServer creates a new web Server with routes registered.
-func NewServer(store storage.Store, logger *slog.Logger) (*Server, error) {
+// If metricsHandler is non-nil, a /metrics endpoint is registered.
+func NewServer(store storage.Store, logger *slog.Logger, metricsHandler http.Handler) (*Server, error) {
 	tmpl, err := loadTemplates()
 	if err != nil {
 		return nil, err
@@ -40,6 +41,10 @@ func NewServer(store storage.Store, logger *slog.Logger) (*Server, error) {
 	s.mux.HandleFunc("GET /fragments/stats", s.handleFragmentStats)
 	s.mux.HandleFunc("GET /fragments/active-sessions", s.handleFragmentActiveSessions)
 
+	if metricsHandler != nil {
+		s.mux.Handle("GET /metrics", metricsHandler)
+	}
+
 	return s, nil
 }