feat: expose Prometheus /metrics endpoint for usage dashboards (#102)

* feat: expose Prometheus /metrics endpoint for usage dashboards

Adds a Prometheus text-format `GET /metrics` endpoint covering the metrics
requested in #101:

  * cryptify_uploads_total{channel}
  * cryptify_upload_bytes_total{channel}
  * cryptify_storage_bytes (gauge, sampled periodically from data_dir)
  * cryptify_active_files (gauge, same source)
  * cryptify_expired_files_total (counter, purged-before-finalized)

The channel label is derived from request headers:
  1. X-Cryptify-Source explicit header
  2. Authorization: Bearer / X-Api-Key -> "api"
  3. Origin -> "staging-website" / "website"
  4. User-Agent substring -> "outlook" / "thunderbird"
  5. fallback "unknown"

Values are sanitized (lower-case [a-z0-9_-], max 32 chars) to prevent
label-injection and cardinality blowup.

Storage gauges are sampled by a background task that walks data_dir every
`metrics_scan_interval_secs` (default 60, configurable). Dashboard JSON
ready for import into the Scaleway Grafana instance is shipped under
`docs/grafana/`, alongside a Prometheus scrape-config example.

No authentication on /metrics; restrict via firewall / proxy allow-list
(documented in README and docs/grafana/README.md).

Refs #101

* chore: cargo fmt + drop non-standard Monitoring README section

Rule compliance pass:
- cargo fmt --all (rust-run-cargo-fmt-before-push)
- README "Monitoring" section removed; docs already live in
  docs/grafana/README.md (standardized-readmes)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix: correct indentation of production target in Grafana scrape config

The production target's labels block was indented under targets instead
of being a sibling, which would fail YAML parsing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: drop docs/grafana from metrics PR

Remove the Grafana dashboard JSON and scrape-config README per
maintainer feedback — keep only the /metrics endpoint exposure.

---------

Co-authored-by: dobby-yivi-agent[bot] <275734547+dobby-yivi-agent[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: dobby-coder[bot]

api-description.yaml

@@ -9,6 +9,8 @@ servers:
 tags:
 - name: "Health"
   description: "Health check"
+- name: "Metrics"
+  description: "Prometheus scrape endpoint"
 - name: "File upload"
   description: "Upload files"
 - name: "File download"
@@ -30,6 +32,37 @@ paths:
               schema:
                 type: "string"
                 example: "OK"
+  /metrics:
+    get:
+      tags:
+        - "Metrics"
+      summary: "Prometheus text-format metrics"
+      description: |
+        Returns usage counters and gauges suitable for Prometheus scraping
+        by the Grafana instance on Scaleway. Intended to be reachable only
+        from the internal monitoring network; firewall or reverse-proxy
+        allow-list in front of Cryptify.
+
+        Exposed metrics:
+          * `cryptify_uploads_total{channel}` — counter of finalized uploads.
+          * `cryptify_upload_bytes_total{channel}` — counter of bytes.
+          * `cryptify_storage_bytes` — gauge, current disk usage.
+          * `cryptify_active_files` — gauge, current file count.
+          * `cryptify_expired_files_total` — counter of uploads purged
+             before finalization.
+
+        The `channel` label is derived from the `X-Cryptify-Source` header,
+        falling back to `Authorization`/`X-Api-Key` (→ `api`), then the
+        `Origin` header (`website` / `staging-website`), then `User-Agent`
+        (`outlook` / `thunderbird`), then `unknown`.
+      operationId: "metrics"
+      responses:
+        "200":
+          description: "Prometheus text exposition format"
+          content:
+            text/plain:
+              schema:
+                type: "string"
   /fileupload/init:
     post:
         tags:

src/config.rs

@@ -12,6 +12,7 @@ pub struct RawCryptifyConfig {
     smtp_tls: Option<bool>,
     allowed_origins: String,
     pkg_url: String,
+    metrics_scan_interval_secs: Option<u64>,
     chunk_size: Option<u64>,
     session_ttl_secs: Option<u64>,
     staging_mode: Option<bool>,
@@ -30,6 +31,7 @@ pub struct CryptifyConfig {
     smtp_tls: bool,
     allowed_origins: String,
     pkg_url: String,
+    metrics_scan_interval_secs: u64,
     chunk_size: u64,
     session_ttl_secs: u64,
     staging_mode: bool,
@@ -51,6 +53,7 @@ impl From<RawCryptifyConfig> for CryptifyConfig {
             smtp_tls: config.smtp_tls.unwrap_or(true),
             allowed_origins: config.allowed_origins,
             pkg_url: config.pkg_url,
+            metrics_scan_interval_secs: config.metrics_scan_interval_secs.unwrap_or(60),
             chunk_size: config.chunk_size.unwrap_or(5_000_000),
             session_ttl_secs: config.session_ttl_secs.unwrap_or(3600),
             staging_mode: config.staging_mode.unwrap_or(false),
@@ -99,6 +102,10 @@ impl CryptifyConfig {
         &self.pkg_url
     }
 
+    pub fn metrics_scan_interval_secs(&self) -> u64 {
+        self.metrics_scan_interval_secs
+    }
+
     pub fn chunk_size(&self) -> u64 {
         self.chunk_size
     }
@@ -124,6 +131,7 @@ impl CryptifyConfig {
             smtp_tls: false,
             allowed_origins: String::new(),
             pkg_url: String::new(),
+            metrics_scan_interval_secs: 60,
             chunk_size: 5_000_000,
             session_ttl_secs: 3600,
             staging_mode,

src/email.rs

@@ -419,6 +419,7 @@ mod tests {
                 ("phone".to_owned(), "+31123".to_owned()),
             ],
             confirm: true,
+            source_channel: String::new(),
             notify_recipients: true,
             api_key_tenant: None,
             api_key_validation_failed: false,

src/main.rs

@@ -1,11 +1,16 @@
 mod config;
 mod email;
 mod error;
+mod metrics;
 mod store;
 
+use std::sync::Arc;
+use std::time::Duration;
+
 use crate::config::CryptifyConfig;
 use crate::email::send_email;
 use crate::error::{Error, PayloadTooLargeBody};
+use crate::metrics::{detect_channel, storage_sampler, Metrics};
 use crate::store::{
     API_KEY_PER_UPLOAD_LIMIT, API_KEY_ROLLING_LIMIT, PER_UPLOAD_LIMIT, ROLLING_LIMIT,
     ROLLING_WINDOW_SECS,
@@ -38,7 +43,6 @@ use rocket::http::Method;
 use rocket_cors::{AllowedHeaders, AllowedOrigins, CorsOptions};
 
 use serde::{Deserialize, Serialize};
-use std::time::Duration;
 use store::{FileState, LastChunkRecord, Store};
 
 #[derive(Serialize, Deserialize)]
@@ -89,11 +93,35 @@ struct InitResponder {
     cryptify_token: CryptifyToken,
 }
 
+/// Request guard that derives the traffic source channel from the request
+/// headers for metrics labelling.
+struct ClientHeaders {
+    channel: String,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for ClientHeaders {
+    type Error = std::convert::Infallible;
+
+    async fn from_request(
+        request: &'r rocket::Request<'_>,
+    ) -> rocket::request::Outcome<Self, Self::Error> {
+        rocket::request::Outcome::Success(ClientHeaders {
+            channel: detect_channel(request.headers()),
+        })
+    }
+}
+
 #[get("/health")]
 fn health() -> &'static str {
     "OK"
 }
 
+#[get("/metrics")]
+fn metrics_endpoint(metrics: &State<Arc<Metrics>>) -> rocket::response::content::RawText<String> {
+    rocket::response::content::RawText(metrics.render())
+}
+
 /// Extract a `PG-…` bearer token from an Authorization header value, or
 /// `None` for any other shape (missing, wrong scheme, non-PG prefix). Kept
 /// as a pure helper so the parsing rules are unit-testable without HTTP.
@@ -258,6 +286,7 @@ async fn upload_init(
     store: &State<Store>,
     api_key: ApiKey,
     request: Json<InitBody>,
+    client_headers: ClientHeaders,
 ) -> Result<InitResponder, Error> {
     let current_time = chrono::offset::Utc::now().timestamp();
 
@@ -288,6 +317,7 @@ async fn upload_init(
             sender: None,
             sender_attributes: Vec::new(),
             confirm: request.confirm,
+            source_channel: client_headers.channel,
             notify_recipients: request.notify_recipients,
             api_key_tenant: api_key.tenant,
             api_key_validation_failed: api_key.validation_failed,
@@ -694,6 +724,7 @@ async fn upload_finalize(
     config: &State<CryptifyConfig>,
     store: &State<Store>,
     vk: &State<Parameters<VerifyingKey>>,
+    metrics: &State<Arc<Metrics>>,
     headers: FinalizeHeaders,
     uuid: &str,
 ) -> Result<(), Error> {
@@ -792,6 +823,8 @@ async fn upload_finalize(
         Error::InternalServerError(Some("could not send email".to_owned()))
     })?;
 
+    metrics.record_upload(&state.source_channel, state.uploaded);
+
     if let Some(key) = accounting_key {
         store.record_upload(key, state.uploaded, now_secs);
     }
@@ -1141,6 +1174,13 @@ pub fn build_rocket(figment: Figment, vk: Parameters<VerifyingKey>) -> Rocket<Bu
         .to_cors()
         .expect("unable to configure CORS");
 
+    let metrics = Arc::new(Metrics::new());
+    rocket::tokio::spawn(storage_sampler(
+        metrics.clone(),
+        std::path::PathBuf::from(config.data_dir()),
+        Duration::from_secs(config.metrics_scan_interval_secs()),
+    ));
+
     let pkg_client = PkgClient::new(config.pkg_url().to_string());
 
     rocket
@@ -1149,6 +1189,7 @@ pub fn build_rocket(figment: Figment, vk: Parameters<VerifyingKey>) -> Rocket<Bu
             "/",
             routes![
                 health,
+                metrics_endpoint,
                 upload_init,
                 upload_chunk,
                 upload_finalize,
@@ -1158,11 +1199,13 @@ pub fn build_rocket(figment: Figment, vk: Parameters<VerifyingKey>) -> Rocket<Bu
             ],
         )
         .attach(AdHoc::config::<CryptifyConfig>())
-        .manage(Store::with_idle_ttl(std::time::Duration::from_secs(
-            config.session_ttl_secs(),
-        )))
+        .manage(Store::with_idle_ttl(
+            std::time::Duration::from_secs(config.session_ttl_secs()),
+            metrics.clone(),
+        ))
         .manage(vk)
         .manage(pkg_client)
+        .manage(metrics)
 }
 
 #[launch]
@@ -1361,7 +1404,7 @@ mod tests {
         let rocket = rocket::custom(figment)
             .mount("/", routes![upload_init])
             .attach(AdHoc::config::<CryptifyConfig>())
-            .manage(Store::new());
+            .manage(Store::new(Arc::new(Metrics::new())));
 
         Client::tracked(rocket).await.expect("valid rocket")
     }
@@ -1450,7 +1493,7 @@ mod tests {
         let rocket = rocket::custom(figment)
             .mount("/", routes![upload_init, upload_status])
             .attach(AdHoc::config::<CryptifyConfig>())
-            .manage(Store::new());
+            .manage(Store::new(Arc::new(Metrics::new())));
 
         Client::tracked(rocket).await.expect("valid rocket")
     }
@@ -1497,7 +1540,7 @@ mod tests {
             .attach(cors)
             .mount("/", routes![upload_init, upload_status])
             .attach(AdHoc::config::<CryptifyConfig>())
-            .manage(Store::new());
+            .manage(Store::new(Arc::new(Metrics::new())));
 
         Client::tracked(rocket).await.expect("valid rocket")
     }
@@ -1787,6 +1830,7 @@ mod tests {
             sender: None,
             sender_attributes: Vec::new(),
             confirm: false,
+            source_channel: String::new(),
             notify_recipients: true,
             api_key_tenant: None,
             api_key_validation_failed: false,