kagenti
diff --git a/‎CLAUDE.md‎
Lines changed: 1 addition & 1 deletion b/‎CLAUDE.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎authbridge/authlib/auth/auth.go‎
Lines changed: 229 additions & 0 deletions b/‎authbridge/authlib/auth/auth.go‎
Lines changed: 229 additions & 0 deletions
@@ -66,7 +66,7 @@ A **single binary** providing transparent traffic interception for both inbound
 - `authproxy/init-iptables.sh` — Traffic interception setup (Istio ambient mesh compatible)
 - `authproxy/Dockerfile.init` — Init container image
 
-**Ports:** 15123 (outbound), 15124 (inbound), 9090 (ext-proc/ext-authz), 9901 (admin)
+**Ports:** 15123 (outbound), 15124 (inbound), 9090 (ext-proc/ext-authz), 9901 (admin), 9093 (stats and config)
 
 ### 2. Client Registration (Python)
 
 
@@ -2,9 +2,11 @@ package auth
 
 import (
 	"context"
+	"encoding/json"
 	"log/slog"
 	"net/http"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"time"
 
@@ -56,6 +58,171 @@ type Auth struct {
 	actorTokenSource ActorTokenSource
 	audienceDeriver  AudienceDeriver
 	log              *slog.Logger
+	Stats            *Stats
+}
+
+// Stats holds statistics for validation and exchange.
+// The current implementation keeps approvals/denials/exchange as counters.
+type Stats struct {
+	mu                    sync.Mutex // protects the following fields
+	inboundApprovals      map[InboundApprovalReason]int
+	inboundDenials        map[InboundDenialReason]int
+	outboundApprovals     map[OutboundApprovalReason]int
+	outboundDenials       map[OutboundDenialReason]int
+	outboundReplaceTokens map[OutboundReplaceTokenReason]int
+}
+
+// InboundDenialReason enumerates the reasons for inbound validation failure.
+type InboundDenialReason int
+
+const (
+	DENY_NO_HEADER InboundDenialReason = iota
+	DENY_MALFORMED_HEADER
+	DENY_VALIDATOR_MISSING
+	DENY_JWT_FAILED
+)
+
+// InboundApprovalReason enumerates the rationale for inbound validation success.
+type InboundApprovalReason int
+
+const (
+	APPROVE_PASSTHROUGH InboundApprovalReason = iota
+	APPROVE_AUTHORIZED
+)
+
+// OutboundApprovalReason enumerates the rationale for outbound validation success.
+type OutboundApprovalReason int
+
+const (
+	OUTBOUND_NO_MATCHING_ROUTE OutboundApprovalReason = iota
+	OUTBOUND_NO_EXCHANGER
+	OUTBOUND_PASSTHROUGH
+	OUTBOUND_NO_TOKEN_POLICY
+)
+
+// OutboundDenialReason enumerates the reasons for outbound denial.
+type OutboundDenialReason int
+
+const (
+	OUTBOUND_CREDS_REQUESTED_NO_EXCHANGER OutboundDenialReason = iota
+	OUTBOUND_CREDENTIALS_GRANT_FAILURE
+	OUTBOUND_NO_TOKEN
+	OUTBOUND_TOKEN_EXCHANGE_FAILED
+)
+
+// OutboundReplaceTokenReason enumerates the reasons for outbound token exchange.
+type OutboundReplaceTokenReason int
+
+const (
+	OUTBOUND_ACTION_REPLACE_TOKEN OutboundReplaceTokenReason = iota
+	OUTBOUND_ACTION_CACHE_HIT
+)
+
+func (r InboundDenialReason) String() string {
+	switch r {
+	case DENY_NO_HEADER:
+		return "no_header"
+	case DENY_MALFORMED_HEADER:
+		return "malformed_header"
+	case DENY_VALIDATOR_MISSING:
+		return "validator_missing"
+	case DENY_JWT_FAILED:
+		return "jwt_failed"
+	default:
+		return "unknown"
+	}
+}
+
+func (r InboundApprovalReason) String() string {
+	switch r {
+	case APPROVE_PASSTHROUGH:
+		return "passthrough"
+	case APPROVE_AUTHORIZED:
+		return "authorized"
+	default:
+		return "unknown"
+	}
+}
+
+func (r OutboundApprovalReason) String() string {
+	switch r {
+	case OUTBOUND_NO_MATCHING_ROUTE:
+		return "no_matching_route"
+	case OUTBOUND_NO_EXCHANGER:
+		return "no_exchanger"
+	case OUTBOUND_PASSTHROUGH:
+		return "passthrough"
+	case OUTBOUND_NO_TOKEN_POLICY:
+		return "no_token_policy"
+	default:
+		return "unknown"
+	}
+}
+
+func (r OutboundDenialReason) String() string {
+	switch r {
+	case OUTBOUND_CREDS_REQUESTED_NO_EXCHANGER:
+		return "creds_requested_no_exchanger"
+	case OUTBOUND_CREDENTIALS_GRANT_FAILURE:
+		return "credentials_grant_failure"
+	case OUTBOUND_NO_TOKEN:
+		return "no_token"
+	case OUTBOUND_TOKEN_EXCHANGE_FAILED:
+		return "token_exchange_failed"
+	default:
+		return "unknown"
+	}
+}
+
+func (r OutboundReplaceTokenReason) String() string {
+	switch r {
+	case OUTBOUND_ACTION_REPLACE_TOKEN:
+		return "replace_token"
+	case OUTBOUND_ACTION_CACHE_HIT:
+		return "cache_hit"
+	default:
+		return "unknown"
+	}
+}
+
+func (s *Stats) MarshalJSON() ([]byte, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	inApprovals := make(map[string]int, len(s.inboundApprovals))
+	for k, v := range s.inboundApprovals {
+		inApprovals[k.String()] = v
+	}
+	inDenials := make(map[string]int, len(s.inboundDenials))
+	for k, v := range s.inboundDenials {
+		inDenials[k.String()] = v
+	}
+	outApprovals := make(map[string]int, len(s.outboundApprovals))
+	for k, v := range s.outboundApprovals {
+		outApprovals[k.String()] = v
+	}
+	outDenials := make(map[string]int, len(s.outboundDenials))
+	for k, v := range s.outboundDenials {
+		outDenials[k.String()] = v
+	}
+	outReplaceTokens := make(map[string]int, len(s.outboundReplaceTokens))
+	for k, v := range s.outboundReplaceTokens {
+		outReplaceTokens[k.String()] = v
+	}
+
+	return json.Marshal(struct {
+		InboundApprovals      map[string]int `json:"inbound_approvals"`
+		InboundDenials        map[string]int `json:"inbound_denials"`
+		OutboundApprovals     map[string]int `json:"outbound_approvals"`
+		OutboundDenials       map[string]int `json:"outbound_denials"`
+		OutboundReplaceTokens map[string]int `json:"outbound_replace_tokens"`
+	}{
+		InboundApprovals:      inApprovals,
+		InboundDenials:        inDenials,
+		OutboundApprovals:     outApprovals,
+		OutboundDenials:       outDenials,
+		OutboundReplaceTokens: outReplaceTokens,
+	})
 }
 
 // New creates an Auth instance from resolved configuration.
@@ -74,6 +241,7 @@ func New(cfg Config) *Auth {
 		actorTokenSource: cfg.ActorTokenSource,
 		audienceDeriver:  cfg.AudienceDeriver,
 		log:              logger,
+		Stats:            NewStats(),
 	}
 	id := cfg.Identity
 	a.identity.Store(&id)
@@ -98,12 +266,14 @@ func (a *Auth) UpdateIdentity(id IdentityConfig, clientAuth exchange.ClientAuth)
 func (a *Auth) HandleInbound(ctx context.Context, authHeader, path, audience string) *InboundResult {
 	// 1. Bypass check
 	if a.bypass != nil && a.bypass.Match(path) {
+		a.IncInboundApprove(APPROVE_PASSTHROUGH)
 		a.log.Debug("bypass path matched", "path", path)
 		return &InboundResult{Action: ActionAllow}
 	}
 
 	// 2. Extract bearer token
 	if authHeader == "" {
+		a.IncInboundDeny(DENY_NO_HEADER)
 		a.log.Debug("inbound denied: no Authorization header", "path", path)
 		return &InboundResult{
 			Action:     ActionDeny,
@@ -113,6 +283,7 @@ func (a *Auth) HandleInbound(ctx context.Context, authHeader, path, audience str
 	}
 	token := extractBearer(authHeader)
 	if token == "" {
+		a.IncInboundDeny(DENY_MALFORMED_HEADER)
 		a.log.Debug("inbound denied: malformed Authorization header", "path", path)
 		return &InboundResult{
 			Action:     ActionDeny,
@@ -123,6 +294,7 @@ func (a *Auth) HandleInbound(ctx context.Context, authHeader, path, audience str
 
 	// 3. Validate JWT
 	if a.verifier == nil {
+		a.IncInboundDeny(DENY_VALIDATOR_MISSING)
 		return &InboundResult{
 			Action:     ActionDeny,
 			DenyStatus: http.StatusUnauthorized,
@@ -137,6 +309,7 @@ func (a *Auth) HandleInbound(ctx context.Context, authHeader, path, audience str
 	if err != nil {
 		// Log full error at Info; log detailed context at Debug.
 		// Generic message returned to client to avoid leaking details.
+		a.IncInboundDeny(DENY_JWT_FAILED)
 		a.log.Info("JWT validation failed", "error", err)
 		a.log.Debug("JWT validation details",
 			"path", path,
@@ -151,6 +324,7 @@ func (a *Auth) HandleInbound(ctx context.Context, authHeader, path, audience str
 	}
 
 	// 4. Allow with claims
+	a.IncInboundApprove(APPROVE_AUTHORIZED)
 	a.log.Info("inbound authorized",
 		"subject", claims.Subject, "clientID", claims.ClientID)
 	a.log.Debug("inbound authorized details",
@@ -170,10 +344,12 @@ func (a *Auth) HandleOutbound(ctx context.Context, authHeader, host string) *Out
 
 	// 2. Passthrough
 	if resolved == nil {
+		a.IncOutboundApprove(OUTBOUND_NO_MATCHING_ROUTE)
 		a.log.Info("outbound passthrough", "host", host, "reason", "no matching route")
 		return &OutboundResult{Action: ActionAllow}
 	}
 	if resolved.Passthrough {
+		a.IncOutboundApprove(OUTBOUND_PASSTHROUGH)
 		a.log.Info("outbound passthrough", "host", host, "reason", "route action")
 		return &OutboundResult{Action: ActionAllow}
 	}
@@ -205,13 +381,15 @@ func (a *Auth) HandleOutbound(ctx context.Context, authHeader, host string) *Out
 	// 5. Cache check
 	if a.cache != nil {
 		if cached, ok := a.cache.Get(subjectToken, audience); ok {
+			a.IncOutboundReplaceToken(OUTBOUND_ACTION_CACHE_HIT)
 			a.log.Debug("outbound cache hit", "host", host, "audience", audience)
 			return &OutboundResult{Action: ActionReplaceToken, Token: cached}
 		}
 	}
 
 	// 6. Token exchange
 	if a.exchanger == nil {
+		a.IncOutboundApprove(OUTBOUND_NO_EXCHANGER)
 		a.log.Warn("exchanger not configured, passing through",
 			"host", host, "audience", audience)
 		return &OutboundResult{Action: ActionAllow}
@@ -236,6 +414,7 @@ func (a *Auth) HandleOutbound(ctx context.Context, authHeader, host string) *Out
 		TokenEndpoint: resolved.TokenEndpoint, // per-route override
 	})
 	if err != nil {
+		a.IncOutboundDeny(OUTBOUND_TOKEN_EXCHANGE_FAILED)
 		a.log.Info("token exchange failed", "host", host, "error", err)
 		a.log.Debug("token exchange failure details",
 			"host", host,
@@ -257,6 +436,7 @@ func (a *Auth) HandleOutbound(ctx context.Context, authHeader, host string) *Out
 			time.Duration(resp.ExpiresIn)*time.Second)
 	}
 
+	a.IncOutboundReplaceToken(OUTBOUND_ACTION_REPLACE_TOKEN)
 	a.log.Info("outbound token exchanged", "host", host, "audience", audience)
 	a.log.Debug("outbound exchange details",
 		"host", host, "audience", audience, "expiresIn", resp.ExpiresIn)
@@ -266,11 +446,13 @@ func (a *Auth) HandleOutbound(ctx context.Context, authHeader, host string) *Out
 func (a *Auth) handleNoToken(ctx context.Context, audience, scopes string) *OutboundResult {
 	switch a.noTokenPolicy {
 	case NoTokenPolicyAllow:
+		a.IncOutboundApprove(OUTBOUND_NO_TOKEN_POLICY)
 		a.log.Debug("no token, policy=allow")
 		return &OutboundResult{Action: ActionAllow}
 
 	case NoTokenPolicyClientCredentials:
 		if a.exchanger == nil {
+			a.IncOutboundDeny(OUTBOUND_CREDS_REQUESTED_NO_EXCHANGER)
 			a.log.Debug("no token, client_credentials requested but exchanger not configured",
 				"audience", audience)
 			return &OutboundResult{
@@ -283,6 +465,7 @@ func (a *Auth) handleNoToken(ctx context.Context, audience, scopes string) *Outb
 			"audience", audience, "scopes", scopes)
 		resp, err := a.exchanger.ClientCredentials(ctx, audience, scopes)
 		if err != nil {
+			a.IncOutboundDeny(OUTBOUND_CREDENTIALS_GRANT_FAILURE)
 			a.log.Info("client credentials grant failed", "error", err)
 			a.log.Debug("client credentials failure details",
 				"audience", audience, "scopes", scopes, "error", err)
@@ -292,9 +475,11 @@ func (a *Auth) handleNoToken(ctx context.Context, audience, scopes string) *Outb
 				DenyReason: "client credentials token acquisition failed",
 			}
 		}
+		a.IncOutboundReplaceToken(OUTBOUND_ACTION_REPLACE_TOKEN)
 		return &OutboundResult{Action: ActionReplaceToken, Token: resp.AccessToken}
 
 	default: // NoTokenDeny or unknown
+		a.IncOutboundDeny(OUTBOUND_NO_TOKEN)
 		a.log.Debug("no token, policy denies request",
 			"policy", a.noTokenPolicy, "audience", audience)
 		return &OutboundResult{
@@ -312,3 +497,47 @@ func extractBearer(authHeader string) string {
 	}
 	return ""
 }
+
+func NewStats() *Stats {
+	return &Stats{
+		inboundApprovals:      make(map[InboundApprovalReason]int),
+		inboundDenials:        make(map[InboundDenialReason]int),
+		outboundApprovals:     make(map[OutboundApprovalReason]int),
+		outboundDenials:       make(map[OutboundDenialReason]int),
+		outboundReplaceTokens: make(map[OutboundReplaceTokenReason]int),
+	}
+}
+
+// IncInboundApprove records a new approval (for statistics)
+func (a *Auth) IncInboundApprove(reason InboundApprovalReason) {
+	a.Stats.mu.Lock()
+	a.Stats.inboundApprovals[reason]++
+	a.Stats.mu.Unlock()
+}
+
+// IncInboundDeny records a new denial (for statistics)
+func (a *Auth) IncInboundDeny(reason InboundDenialReason) {
+	a.Stats.mu.Lock()
+	a.Stats.inboundDenials[reason]++
+	a.Stats.mu.Unlock()
+}
+
+// IncOutboundApprove records a new approval (for statistics)
+func (a *Auth) IncOutboundApprove(reason OutboundApprovalReason) {
+	a.Stats.mu.Lock()
+	a.Stats.outboundApprovals[reason]++
+	a.Stats.mu.Unlock()
+}
+
+// IncOutboundDeny records a new denial (for statistics)
+func (a *Auth) IncOutboundDeny(reason OutboundDenialReason) {
+	a.Stats.mu.Lock()
+	a.Stats.outboundDenials[reason]++
+	a.Stats.mu.Unlock()
+}
+
+func (a *Auth) IncOutboundReplaceToken(reason OutboundReplaceTokenReason) {
+	a.Stats.mu.Lock()
+	a.Stats.outboundReplaceTokens[reason]++
+	a.Stats.mu.Unlock()
+}