feat: add new Prometheus metrics and bearer token auth for /metrics

Add 6 new Prometheus metrics for richer observability:
- auth_attempts_by_country_total (counter by country)
- commands_executed_total (counter by shell via OnCommand callback)
- human_score (histogram of final detection scores)
- storage_login_attempts_total, storage_unique_ips, storage_sessions_total
  (gauges via custom collector querying GetDashboardStats on each scrape)

Add optional bearer token authentication for the /metrics endpoint via
web.metrics_token config option. Uses crypto/subtle.ConstantTimeCompare.
Empty token (default) means no auth for backwards compatibility.

Also adds "cisco" to pre-initialized session/command metric labels.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/server/server.go

@@ -264,6 +264,9 @@ func (s *Server) handleSession(channel ssh.Channel, requests <-chan *ssh.Request
 			Banner:   s.cfg.Shell.Banner,
 			FakeUser: s.cfg.Shell.FakeUser,
 		},
+		OnCommand: func(sh string) {
+			s.metrics.CommandsExecuted.WithLabelValues(sh).Inc()
+		},
 	}
 
 	// Wrap channel in RecordingChannel.
@@ -299,6 +302,7 @@ func (s *Server) handleSession(channel ssh.Channel, requests <-chan *ssh.Request
 	}
 	if scorer != nil {
 		finalScore := scorer.Score()
+		s.metrics.HumanScore.Observe(finalScore)
 		if err := s.store.UpdateHumanScore(context.Background(), sessionID, finalScore); err != nil {
 			s.logger.Error("failed to write final human score", "err", err, "session_id", sessionID)
 		}
@@ -362,6 +366,9 @@ func (s *Server) passwordCallback(conn ssh.ConnMetadata, password []byte) (*ssh.
 	)
 
 	country := s.geoip.Lookup(ip)
+	if country != "" {
+		s.metrics.AuthAttemptsByCountry.WithLabelValues(country).Inc()
+	}
 	if err := s.store.RecordLoginAttempt(context.Background(), conn.User(), string(password), ip, country); err != nil {
 		s.logger.Error("failed to record login attempt", "err", err)
 	}