NillionNetwork
diff --git a/‎docs/admin-guide.md‎
Lines changed: 72 additions & 15 deletions b/‎docs/admin-guide.md‎
Lines changed: 72 additions & 15 deletions
diff --git a/‎justfile‎
Lines changed: 12 additions & 6 deletions b/‎justfile‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎local/docker-compose.yaml‎
Lines changed: 16 additions & 1 deletion b/‎local/docker-compose.yaml‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎local/otel-collector/config.yaml‎
Lines changed: 30 additions & 0 deletions b/‎local/otel-collector/config.yaml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎packages/api/env.example‎
Lines changed: 7 additions & 0 deletions b/‎packages/api/env.example‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎packages/api/package.json‎
Lines changed: 20 additions & 2 deletions b/‎packages/api/package.json‎
Lines changed: 20 additions & 2 deletions
diff --git a/‎packages/api/src/app.ts‎
Lines changed: 5 additions & 5 deletions b/‎packages/api/src/app.ts‎
Lines changed: 5 additions & 5 deletions
@@ -18,18 +18,18 @@ This section provides task-oriented instructions for node administrators.
 
 The following environment variables are require:
 
-| Variable                 | Description                                               | Example                             |
-|--------------------------|-----------------------------------------------------------|-------------------------------------|
-| APP_DB_NAME_BASE         | Database name prefix                                      | nildb_data                          |
-| APP_DB_URI               | MongoDB connection string                                 | mongodb://node-xxxx-db:27017        |
-| APP_ENABLED_FEATURES     | Enable features                                           | openapi-spec,metrics,migrations     |
-| APP_LOG_LEVEL            | Logging verbosity                                         | debug                               |
-| APP_METRICS_PORT         | Prometheus metrics port                                   | 9091                                |
-| APP_NILAUTH_BASE_URL     | The nilauth service url for subscriptions and revocations | http://127.0.0.1:30921              |
-| APP_NILAUTH_PUBLIC_KEY   | The nilauth service's secp256k1 public key                | [hex encoded secp256k1 public key]  |
-| APP_NODE_PUBLIC_ENDPOINT | Public URL of node                                        | https://nildb-xxxx.domain.com       |
-| APP_NODE_SECRET_KEY      | Node's private key                                        | [hex encoded secp256k1 private key] |
-| APP_PORT                 | API service port                                          | 8080                                |
+| Variable                 | Description                                               | Example                              |
+|--------------------------|-----------------------------------------------------------|--------------------------------------|
+| APP_DB_NAME_BASE         | Database name prefix                                      | nildb_data                           |
+| APP_DB_URI               | MongoDB connection string                                 | mongodb://node-xxxx-db:27017         |
+| APP_ENABLED_FEATURES     | Enable features                                           | openapi-spec,metrics,migrations,otel |
+| APP_LOG_LEVEL            | Logging verbosity                                         | debug                                |
+| APP_METRICS_PORT         | Prometheus metrics port                                   | 9091                                 |
+| APP_NILAUTH_BASE_URL     | The nilauth service url for subscriptions and revocations | http://127.0.0.1:30921               |
+| APP_NILAUTH_PUBLIC_KEY   | The nilauth service's secp256k1 public key                | [hex encoded secp256k1 public key]   |
+| APP_NODE_PUBLIC_ENDPOINT | Public URL of node                                        | https://nildb-xxxx.domain.com        |
+| APP_NODE_SECRET_KEY      | Node's private key                                        | [hex encoded secp256k1 private key]  |
+| APP_PORT                 | API service port                                          | 8080                                 |
 
 ### Rate Limiting
 
@@ -41,6 +41,52 @@ The following variables control the IP-based rate limiting feature.
 | APP_RATE_LIMIT_WINDOW_SECONDS   | The duration of the time window in seconds.     | `60`    |
 | APP_RATE_LIMIT_MAX_REQUESTS     | Max requests per IP within the time window.     | `60`    |
 
+
+### OpenTelemetry
+
+When the `otel` feature is enabled in `APP_ENABLED_FEATURES`, the following variables configure OpenTelemetry instrumentation:
+
+| Variable                        | Description                             | Default          | Required |
+|---------------------------------|-----------------------------------------|------------------|----------|
+| OTEL_ENDPOINT                   | OTLP endpoint URL                       | http://localhost | No       |
+| OTEL_SERVICE_NAME               | Service name for telemetry              | nildb            | No       |
+| OTEL_TEAM_NAME                  | Team responsible for the service        | nildb            | No       |
+| OTEL_DEPLOYMENT_ENV             | Deployment environment                  | local            | No       |
+| OTEL_METRICS_EXPORT_INTERVAL_MS | Metrics export interval in milliseconds | 60000            | No       |
+| OTEL_RESOURCE_ATTRIBUTES        | Additional resource attributes          | (not set)        | No       |
+| OTEL_SDK_DISABLED               | Disable OpenTelemetry SDK               | (not set)        | No       |
+
+**Setting Custom Resource Attributes:**
+
+You can set or override any OpenTelemetry resource attributes using `OTEL_RESOURCE_ATTRIBUTES`:
+
+```bash
+# Set single attribute
+OTEL_RESOURCE_ATTRIBUTES=service.instance.id=nildb-r5nw
+
+# Set multiple attributes (comma-separated)
+OTEL_RESOURCE_ATTRIBUTES=service.instance.id=nildb-r5nw,custom.key=value
+```
+
+Values set via `OTEL_RESOURCE_ATTRIBUTES` take precedence over programmatically set values. This is useful for setting deployment-specific identifiers like `service.instance.id` without modifying code.
+
+**Feature Flag Behavior:**
+
+- **`metrics` only**: Metrics are served on `:9091/metrics` endpoint using OpenTelemetry PrometheusExporter. No traces or logs sent to OTLP.
+- **`otel` only**: Metrics, traces, and logs are pushed to OTLP endpoint. No `/metrics` endpoint is exposed.
+
+> ![NOTE]
+> The `metrics` and `otel` feature flags are **mutually exclusive**. Enabling both will cause the server to exit with an error. Choose one observability mode.
+
+**Disabling OpenTelemetry SDK:**
+
+To disable OpenTelemetry SDK and prevent telemetry emission while keeping the `otel` feature flag enabled, set the following environment variable:
+```bash
+OTEL_SDK_DISABLED=true
+```
+
+This is useful for local development where you want to use Pino stdout logging instead of sending telemetry to an OTLP endpoint.
+
 ## Start the node
 
 ### Local Development
@@ -53,15 +99,22 @@ docker compose -f local/docker-compose.yaml up -d
 ```
 
 This stack includes:
-- **nilDB**: The main API service (port 40080)
+- **nilDB**: The main API service (port 40080, metrics port 40091)
 - **MongoDB**: Database backend (port 40017)
 - **nilauth**: Authentication service for NUC tokens (port 40921)
 - **nilchain**: Local blockchain for testing payments (JSON-RPC port 40648)
 - **PostgreSQL**: Database for nilauth (port 40432)
 - **token-price-api**: Mock token pricing service (port 40923)
+- **otel-collector**: OpenTelemetry collector with debug exporter (OTLP port 40318)
 
 The nilDB API will be available at `http://localhost:40080`.
 
+The local stack is configured with `APP_ENABLED_FEATURES=openapi,otel,migrations`, which means:
+- Metrics, traces, and logs are sent to the OTel Collector (visible in `docker compose logs otel-collector`)
+- No `/metrics` endpoint is exposed (OTLP push only)
+
+To switch to metrics-only mode (serve metrics on `:40091/metrics`), change `otel` to `metrics` in the docker-compose.yaml file.
+
 ### Production Deployment
 
 A nilDB node consists of a MongoDB instance and a RESTful API service. Below is a basic Docker Compose configuration:
@@ -105,10 +158,14 @@ The following endpoints provide operational information:
 
 - `GET /health` - Service health check
 - `GET /about` - Node configuration
-- `GET :9091/metrics` - Prometheus metrics (internal access only)
+- `GET :9091/metrics` - Prometheus metrics (internal access only, available when `metrics` feature flag is enabled without `otel`)
 
 > ![NOTE]
-> `/metrics` shouldn't be exposed publicly. 
+> The `/metrics` endpoint behavior depends on feature flags:
+> - **`metrics` only**: Serves metrics at `:9091/metrics` using OpenTelemetry PrometheusExporter
+> - **`otel` enabled**: No `/metrics` endpoint; all telemetry pushed to OTLP collector
+>
+> The `/metrics` endpoint should never be exposed publicly - use firewall rules or network policies to restrict access to internal monitoring systems only.
 
 ## Logging
 
 
@@ -19,8 +19,14 @@ install:
 # --- Quality
 # ------------------
 
+# Build workspace dependencies (required for type checking and tests)
+build-deps:
+    pnpm --filter @nillion/nildb-types build
+    pnpm --filter @nillion/nildb-shared build
+    pnpm --filter @nillion/nildb-client build
+
 # Check for formatting, lint, and type errors
-check:
+check: build-deps
     pnpm exec tsc -b && pnpm exec biome ci && pnpm exec tsc -b --noEmit
 
 # Format, fix, and type check all files
@@ -40,27 +46,27 @@ dev:
     pnpm --filter @nillion/nildb dev
 
 # Build nildb
-build:
+build: build-deps
     pnpm --filter @nillion/nildb build
 
 # ------------------
 # --- Testing
 # ------------------
 
 # Run all tests (unit & integration)
-test:
+test: build-deps
     pnpm exec vitest run
 
 # Run unit tests
-test-unit:
+test-unit: build-deps
     pnpm exec vitest run --project=unit
 
 # Run integration tests
-test-integration:
+test-integration: build-deps
     pnpm exec vitest run --project=integration
 
 # Run tests with coverage
-test-coverage:
+test-coverage: build-deps
     pnpm exec vitest run --coverage
 
 # ------------------
 
@@ -5,19 +5,26 @@ services:
       dockerfile: packages/api/Dockerfile
     ports:
       - "40080:8080"
+      - "40091:9091"
     depends_on:
       - mongodb
+      - otel-collector
     environment:
       - APP_DB_NAME_BASE=nildb
       - APP_DB_URI=mongodb://mongodb:27017
-      - APP_ENABLED_FEATURES=openapi,metrics,migrations
+      - APP_ENABLED_FEATURES=openapi,otel,migrations
       - APP_LOG_LEVEL=debug
       - APP_METRICS_PORT=9091
       - APP_NILAUTH_BASE_URL=http://nilauth:8080
       - APP_NILAUTH_PUBLIC_KEY=03520e70bd97a5fa6d70c614d50ee47bf445ae0b0941a1d61ddd5afa022b97ab14
       - APP_NODE_PUBLIC_ENDPOINT=http://localhost:40080
       - APP_NODE_SECRET_KEY=6cab2d10ac21886404eca7cbd40f1777071a243177eae464042885b391412b4e
       - APP_PORT=8080
+      - OTEL_ENDPOINT=http://otel-collector:4318
+      - OTEL_SERVICE_NAME=nildb
+      - OTEL_TEAM_NAME=nildb
+      - OTEL_DEPLOYMENT_ENV=local
+      - OTEL_METRICS_EXPORT_INTERVAL_MS=10000
 
   mongodb:
     image: mongo:latest
@@ -56,3 +63,11 @@ services:
       - ./nilchaind/config/genesis.json:/opt/nilchain/config/genesis.json
     ports:
       - "40648:26648" # JSON RPC
+
+  otel-collector:
+    image: otel/opentelemetry-collector:latest
+    command: ["--config=/etc/otel-collector-config.yaml"]
+    volumes:
+      - ./otel-collector/config.yaml:/etc/otel-collector-config.yaml
+    ports:
+      - "40318:4318"   # OTLP HTTP receiver
@@ -0,0 +1,30 @@
+receivers:
+  otlp:
+    protocols:
+      http:
+        endpoint: 0.0.0.0:4318
+
+processors:
+  batch:
+
+exporters:
+  # Debug exporter - logs all telemetry to stdout
+  debug:
+    verbosity: detailed
+
+service:
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [debug]
+
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [debug]
+
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [debug]
@@ -8,3 +8,10 @@ APP_NILAUTH_PUBLIC_KEY=03520e70bd97a5fa6d70c614d50ee47bf445ae0b0941a1d61ddd5afa0
 APP_NODE_SECRET_KEY=d5cf0b58964c516465d228be9330a047cb09bcdc7aaabea6485e1152182967fa
 APP_NODE_PUBLIC_ENDPOINT=http://localhost:8080
 APP_PORT=8080
+OTEL_ENDPOINT=http://localhost
+OTEL_SERVICE_NAME=nildb
+OTEL_TEAM_NAME=platform
+OTEL_DEPLOYMENT_ENV=local
+OTEL_METRICS_EXPORT_INTERVAL_MS=60000
+# OTEL_RESOURCE_ATTRIBUTES=service.instance.id=nildb-foo  # Set custom resource attributes (comma-separated)
+# OTEL_SDK_DISABLED=true  # Set to 'true' to disable OpenTelemetry SDK
@@ -18,7 +18,24 @@
   "dependencies": {
     "@nillion/nildb-types": "workspace:*",
     "@nillion/nildb-shared": "workspace:*",
-    "mongodb": "^6.20.0"
+    "mongodb": "^6.20.0",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/api-logs": "^0.54.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.51.0",
+    "@opentelemetry/exporter-logs-otlp-http": "^0.54.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "^0.54.0",
+    "@opentelemetry/exporter-prometheus": "^0.54.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.54.0",
+    "@opentelemetry/host-metrics": "^0.36.0",
+    "@opentelemetry/instrumentation": "^0.54.0",
+    "@opentelemetry/instrumentation-http": "^0.54.0",
+    "@opentelemetry/instrumentation-runtime-node": "^0.7.0",
+    "@opentelemetry/resources": "^1.28.0",
+    "@opentelemetry/sdk-logs": "^0.54.0",
+    "@opentelemetry/sdk-metrics": "^1.28.0",
+    "@opentelemetry/sdk-node": "^0.54.0",
+    "@opentelemetry/sdk-trace-node": "^1.28.0",
+    "@opentelemetry/semantic-conventions": "^1.28.0"
   },
   "devDependencies": {
     "@hono/node-server": "^1.19.5",
@@ -72,7 +89,8 @@
     "clean": true,
     "minify": false,
     "external": [
-      "mongodb"
+      "mongodb",
+      "@opentelemetry/*"
     ]
   }
 }
@@ -9,16 +9,15 @@ import { corsMiddleware } from "./middleware/cors.middleware.js";
 import { limitRequestBodySizeMiddleware } from "./middleware/limit-body.middleware.js";
 import { loggerMiddleware } from "./middleware/logger.middleware.js";
 import { maintenanceMiddleware } from "./middleware/maintenance.middleware.js";
+import { metricsMiddleware } from "./middleware/metrics.middleware.js";
 import { rateLimitMiddleware } from "./middleware/rate-limit.middleware.js";
 import { buildQueriesRouter } from "./queries/queries.router.js";
 import { buildSystemRouter } from "./system/system.router.js";
 import { buildUserRouter } from "./users/users.router.js";
 
 export type App = Hono<AppEnv>;
 
-export async function buildApp(
-  bindings: AppBindings,
-): Promise<{ app: App; metrics: Hono | undefined }> {
+export async function buildApp(bindings: AppBindings): Promise<{ app: App }> {
   const app = new Hono<AppEnv>();
   const options: ControllerOptions = { app, bindings };
 
@@ -35,19 +34,20 @@ export async function buildApp(
     return next();
   });
 
+  metricsMiddleware(options);
   corsMiddleware(options);
   rateLimitMiddleware(options);
   limitRequestBodySizeMiddleware(options);
   loggerMiddleware(options);
   maintenanceMiddleware(options);
 
   // Setup controllers
-  const { metrics } = buildSystemRouter(options);
+  buildSystemRouter(options);
   buildBuildersRouter(options);
   buildCollectionsRouter(options);
   buildQueriesRouter(options);
   buildDataRouter(options);
   buildUserRouter(options);
 
-  return { app, metrics };
+  return { app };
 }