feat(egress): add Prometheus metrics, METRICS.md, and metrics fetch in smoke tests

[Pangjiping]

Summary

• Add pkg/metrics with metric definitions (DNS, policy, nftables, violations, info, uptime)
• Expose GET /metrics on policy server; instance_id from OPENSANDBOX_EGRESS_INSTANCE_ID
• Instrument dnsproxy, policy server, and nft setup; add prometheus/client_golang dependency
• Add METRICS.md (English) documenting metrics and instance identification
• Smoke tests: fetch metrics once after all tests pass (smoke-dns, smoke-nft, smoke-dynamic-ip)

Testing

• Not run (explain why)
• Unit tests
• Integration tests
• e2e / manual verification

Breaking Changes

• None
• Yes (describe impact and migration path)

Checklist

• Linked Issue or clearly described motivation. close FEATURE: egress stage-4 for audit logs and metrics #185
• Added/updated docs (if needed)
• Added/updated tests (if needed)
• Security impact considered
• Backward compatibility considered

[jwx0925]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 93ee89a8f4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Wire DoH/DoT drop counter to real drop events

This metric is declared but never incremented in the new instrumentation paths (there is no NftDohDotPacketsDroppedTotal.WithLabelValues(...).Inc() call in nft.go, policy_server.go, or other egress code), so in dns+nft mode /metrics will never surface actual DoH/DoT drops. Any dashboard or alert relying on opensandbox_egress_nft_doh_dot_packets_dropped_total will silently under-report enforcement behavior.

Useful? React with 👍 / 👎.