feat: add new Prometheus metrics and bearer token auth for /metrics

Add 6 new Prometheus metrics for richer observability: - auth_attempts_by_country_total (counter by country) - commands_executed_total (counter by shell via OnCommand callback) - human_score (histogram of final detection scores) - storage_login_attempts_total, storage_unique_ips, storage_sessions_total (gauges via custom collector querying GetDashboardStats on each scrape) Add optional bearer token authentication for the /metrics endpoint via web.metrics_token config option. Uses crypto/subtle.ConstantTimeCompare. Empty token (default) means no auth for backwards compatibility. Also adds "cisco" to pre-initialized session/command metric labels. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 15:54:29 +01:00
parent 9aecc7ce02
commit df860b3061
16 changed files with 301 additions and 23 deletions
--- a/cmd/oubliette/main.go
+++ b/cmd/oubliette/main.go
@@ -79,6 +79,7 @@ func run() error {
 	go storage.RunRetention(ctx, store, cfg.Storage.RetentionDays, cfg.Storage.RetentionIntervalDuration, logger)

 	m := metrics.New(Version)
+	m.RegisterStoreCollector(store)

 	srv, err := server.New(*cfg, store, logger, m)
 	if err != nil {
@@ -94,7 +95,7 @@ func run() error {
 			metricsHandler = m.Handler()
 		}

-		webHandler, err := web.NewServer(store, logger.With("component", "web"), metricsHandler)
+		webHandler, err := web.NewServer(store, logger.With("component", "web"), metricsHandler, cfg.Web.MetricsToken)
 		if err != nil {
 			return fmt.Errorf("create web server: %w", err)
 		}