Merge develop into main

[ForeverProglamer]

Summary by CodeRabbit

• New Features

  • Added observability: Prometheus and Grafana services, a prebuilt monitoring dashboard, and a new /metrics endpoint exposing app metrics.
  • Application now records request, order processing, and message-queue metrics for visibility.

• Documentation

  • Deployment docs updated with monitoring UI endpoints and reverse-proxy/auth hints.

• Chores

  • Deployment workflows and environment examples updated to surface Grafana/Prometheus ports and credentials; local ignore list extended.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 11c0992d-4fc0-4b8c-b2a7-53ef4182d98a

📥 Commits

Reviewing files that changed from the base of the PR and between 0e9e738 and a75726d.

📒 Files selected for processing (5)

• README.md
• compose.yml
• src/metrics/metrics.interceptor.ts
• src/metrics/metrics.service.ts
• src/rabbit-mq/rabbit-mq.service.ts

✅ Files skipped from review due to trivial changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (4)

• src/metrics/metrics.interceptor.ts
• src/rabbit-mq/rabbit-mq.service.ts
• src/metrics/metrics.service.ts
• compose.yml

---

📝 Walkthrough

Walkthrough

This pull request introduces comprehensive observability for the e-commerce platform by adding Prometheus metrics collection and Grafana dashboards. The implementation includes a new MetricsService module that instruments HTTP requests, order lifecycle events, and RabbitMQ message operations, with corresponding integrations into OrdersService, OrdersWorkerService, and RabbitMqService. Docker Compose configuration is refactored to use parameterized images and profiles, with new Prometheus and Grafana services added. The production-specific compose.prod.yml is deprecated in favor of compose.yml. CI/CD workflows and documentation are updated accordingly.

Changes

Comprehensive Observability and Monitoring Stack

Layer / File(s)	Summary
Metrics Service & Types src/metrics/metrics.service.ts, package.json	Introduces MetricsService with dedicated Prometheus Registry, default Node.js metrics prefixed ecomm_, and counters/histograms for HTTP requests, order creation/processing, and RabbitMQ messaging. Exported result types (OrderCreateResult, OrderProcessResult, MessageResult) provide typed labels. Adds prom-client ^15.1.3 dependency.
HTTP Metrics Collection src/metrics/metrics.interceptor.ts, src/metrics/metrics.controller.ts	Implements MetricsInterceptor to capture HTTP request duration (hrtime.bigint()), route labels, and status codes via error type inspection (HttpException, DomainError, generic). Implements public GET /metrics endpoint on MetricsController returning Prometheus exposition format.
Metrics Module Wiring src/metrics/metrics.module.ts, src/app.module.ts	Creates MetricsModule registering controller, providing/exporting MetricsService, and installing MetricsInterceptor globally via APP_INTERCEPTOR. Integrates into AppModule.
Order Creation Metrics src/orders/orders.service.ts, src/orders/orders.module.ts	Refactors OrdersService.createOrder() into persistOrder() helper and outcome handlers (handleDuplicateOrder, handleNewOrder, recordOrderCreationFailure). Records creation outcomes (success/duplicate/product_not_found/not_enough_stock/error) via MetricsService. Updates OrdersModule to import MetricsModule.
Order Processing Metrics src/orders/orders-worker.service.ts	Integrates MetricsService into order processing. Measures duration with hrtime.bigint(). Updates handleHappyPath() to return Promise<OrderProcessResult>. Records happy-path outcomes (success/duplicate) and failure outcomes (dlq/retry) with corresponding metric increments.
RabbitMQ Message Metrics src/rabbit-mq/rabbit-mq.service.ts, src/rabbit-mq/rabbit-mq.module.ts	Wraps message send() in try/catch to record incrementRabbitMqMessagePublished(queue, "success"|"buffer_full"|"error"). Records consume() outcomes via incrementRabbitMqMessageConsumed(queue, "success"|"error") after handler execution or on exception. Updates RabbitMqModule to import MetricsModule.
Test Mocks src/orders/orders.service.spec.ts, src/orders/orders-worker.service.spec.ts, src/rabbit-mq/rabbit-mq.service.spec.ts	Adds MetricsService mocks to test modules for OrdersService (incrementOrderCreated), OrdersWorkerService (incrementOrderProcessed, incrementOrderProcessingRetry, observeOrderProcessing), and RabbitMqService (incrementRabbitMqMessagePublished/Consumed).
Input Validation src/orders/create-order.dto.ts	Reorganizes class-validator imports to multi-line format and adds @ArrayUnique((item: OrderItemDto) => item.id) decorator to CreateOrderDto.items for uniqueness validation.
Prometheus & Grafana Config prometheus/prometheus.yml, rabbitmq/enabled_plugins, grafana/provisioning/datasources/datasource.yml, grafana/provisioning/dashboards/dashboard.yml, grafana/dashboards/metrics-baseline.json	Adds Prometheus configuration with 5-second scrape interval targeting api:3000, rabbitmq:15692 (metrics and detailed queue metrics). Enables rabbitmq_prometheus plugin. Provisions Prometheus datasource in Grafana as default. Defines metrics-baseline dashboard with timeseries panels for HTTP traffic, latency p95, error rate, order creation/processing, RabbitMQ publish/consume, queue depth, consumer count, and Node.js heap.
Docker Compose Infrastructure compose.yml, compose.dev.yml, compose.prod.yml	Updates compose.yml: api/migrate/seed services use parameterized ${IMAGE:-ecommerce-platform-api:local} instead of build targets; api binds to 127.0.0.1:${API_PORT}:3000 with fetch-based healthcheck; postgres uses POSTGRES_PASSWORD_FILE secret; rabbitmq uses direct env vars and enabled_plugins mount. Adds prometheus service (9090, config mount, persistent volume) and grafana service (127.0.0.1:${GRAFANA_PORT}:3000, provisioning mounts, persistent volume, environment auth). Extends top-level volumes and adds postgres_password secret. Adds migrate/seed/prometheus to compose.dev.yml. Removes content from compose.prod.yml.
Environment & Build Config .env.example, .dockerignore	Adds environment variables: PROMETHEUS_PORT, GRAFANA_PORT, GRAFANA_ADMIN_USER, GRAFANA_ADMIN_PASSWORD. Updates .dockerignore to exclude local/, Vagrantfile, provision.sh, grafana/, prometheus/, rabbitmq/.
CI/CD Workflows .github/workflows/build-and-stage.yml, .github/workflows/deploy-prod.yml	Both workflows add GRAFANA_PORT to deploy environment, export to .env. Switch docker-compose invocation from compose.prod.yml to compose.yml --profile seed (stage: -p stage, prod: -p prod). Increase health check timing (attempts: 10, sleep: 3).
Documentation README.md, docs/task-9-ci-cd.md	Updates README with Grafana UI endpoints for stage/prod, Caddyfile routes with basic-auth, one-off job commands using compose.yml -f compose.dev.yml --rm --profile seed, and log inspection using `docker compose -f compose.yml -p stage

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• ForeverProglamer/e-commerce-platform#2: Modifies the same GitHub Actions workflow files and Docker Compose configuration used for deployments; overlap at CI/deploy configuration level.
• ForeverProglamer/e-commerce-platform#25: Also edits AppModule imports and global providers; touches the same module wiring area where MetricsModule is integrated.

🐰 Metrics bloom like carrots in a field so bright,
Prometheus watches, Grafana charts the night,
Orders hop and dance, their timings now revealed,
RabbitMQ's messages in dashboards sealed,
A warren of metrics, where every hop’s annealed!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is generic and lacks specificity about the actual changes being merged, failing to convey meaningful information about the substantial feature additions.	Consider using a more descriptive title that highlights the main changes, such as 'Add observability infrastructure with Prometheus and Grafana' or 'Integrate metrics collection and monitoring stack'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/orders/orders.service.ts (1)

98-104: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid recording success before the publish succeeds.

If this.rabbitmq.send(...) throws here, the outer catch also records "error", so one failed createOrder() call is counted twice with conflicting outcomes. Move the success increment after the publish so the metric matches the actual result of this request.

Suggested change

  private handleNewOrder(order: Order, userId: UUID, idempotencyKey: UUID) {
-    this.metricsService.incrementOrderCreated("success");
     this.logger.log("Order created", { userId, idempotencyKey, order });
     this.rabbitmq.send(
       "orders.process",
       new ProcessOrderMessageDto(order.id, order.id),
     );
+    this.metricsService.incrementOrderCreated("success");
     return order;
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/orders/orders.service.ts` around lines 98 - 104, The metrics increment is
recorded before publishing, causing double/conflicting counts if rabbitmq.send
throws; change handleNewOrder so the publish succeeds before recording success:
make handleNewOrder async (if not already), await
this.rabbitmq.send("orders.process", new ProcessOrderMessageDto(order.id,
order.id)), then call this.metricsService.incrementOrderCreated("success") after
the awaited send; keep the logger.log as appropriate and do not increment on
failures (let existing outer catch record "error").

🧹 Nitpick comments (4)

prometheus/prometheus.yml (1)

1-2: Consider raising scrape_interval to the Prometheus default (15s).

A global 5-second interval is 3× more frequent than the Prometheus default and applies to all three jobs simultaneously. This increases time-series cardinality, write amplification on TSDB, and steady-state CPU usage in Prometheus — with no dashboard or alerting benefit unless you specifically need sub-15s resolution. You can always lower it per-job for high-frequency counters if needed.

♻️ Suggested change

 global:
-  scrape_interval: 5s
+  scrape_interval: 15s

Or, keep 5s for the API but use a coarser interval for the RabbitMQ jobs:

 global:
-  scrape_interval: 5s
+  scrape_interval: 15s

 scrape_configs:
   - job_name: 'api'
+    scrape_interval: 5s
     metrics_path: /api/metrics

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@prometheus/prometheus.yml` around lines 1 - 2, The global scrape_interval is
set to 5s which is more frequent than Prometheus default; change the
global.scrape_interval value from 5s to 15s to reduce TSDB load, and if you need
higher resolution for specific targets, add per-job scrape_interval overrides
(e.g., set the API job's scrape_interval to 5s and keep RabbitMQ jobs at 15s or
higher) by editing the job definitions in prometheus.yml.

grafana/provisioning/datasources/datasource.yml (1)

1-7: ⚡ Quick win

Consider pinning a uid for stable dashboard-datasource wiring.

Without a uid, Grafana auto-generates one on first start. The Grafana provisioning docs show uid as a field you can set to reference a datasource in other parts of the configuration. If any provisioned dashboard JSON files reference this Prometheus datasource by UID (e.g. using ${DS_PROMETHEUS} or a hardcoded UID), the link will break on a fresh deployment unless the same UID is seeded.

♻️ Proposed addition

 apiVersion: 1
 datasources:
   - name: Prometheus
     type: prometheus
     access: proxy
     url: http://prometheus:9090
+    uid: prometheus
     isDefault: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@grafana/provisioning/datasources/datasource.yml` around lines 1 - 7, Add a
stable uid to the Prometheus datasource so dashboards/reference by UID won't
break on fresh deploys: update the datasource block (the entry with name:
Prometheus and type: prometheus) to include a uid field with a deterministic
value (e.g. "prometheus" or "prometheus-main") and ensure any dashboard
placeholders or references (e.g. ${DS_PROMETHEUS} or hardcoded UIDs) point to
that uid.

.env.example (1)

26-29: 💤 Low value

Key ordering violates dotenv-linter rules.

dotenv-linter expects alphabetical ordering within a group. The correct order is: GRAFANA_ADMIN_PASSWORD, GRAFANA_ADMIN_USER, GRAFANA_PORT, PROMETHEUS_PORT.

♻️ Proposed fix

-PROMETHEUS_PORT=9091
-GRAFANA_PORT=8000
-GRAFANA_ADMIN_USER=admin
-GRAFANA_ADMIN_PASSWORD=admin
+GRAFANA_ADMIN_PASSWORD=changeme
+GRAFANA_ADMIN_USER=admin
+GRAFANA_PORT=8000
+PROMETHEUS_PORT=9091

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.env.example around lines 26 - 29, The dotenv keys in .env.example are out
of alphabetical order; reorder the four variables so they follow dotenv-linter's
expected alphabetical grouping: GRAFANA_ADMIN_PASSWORD, GRAFANA_ADMIN_USER,
GRAFANA_PORT, PROMETHEUS_PORT — update the block containing PROMETHEUS_PORT,
GRAFANA_PORT, GRAFANA_ADMIN_USER, GRAFANA_ADMIN_PASSWORD to that alphabetical
sequence, preserving values but changing only the key order.

grafana/dashboards/metrics-baseline.json (1)

1-9: ⚡ Quick win

Add a stable uid to prevent duplicate dashboards on re-provisioning.

Grafana warns: "Be careful not to reuse the same title multiple times within a folder or uid within the same Grafana instance to avoid inconsistent behavior." Without a uid, Grafana assigns one during provisioning; if you want to reference the dashboard from other dashboards or ensure stable URLs, set it yourself. Each re-provisioning without a uid can create a new dashboard entry rather than updating the existing one.

✏️ Suggested addition

 {
   "title": "E-commerce Metrics",
+  "uid": "ecomm-metrics-baseline",
   "schemaVersion": 39,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@grafana/dashboards/metrics-baseline.json` around lines 1 - 9, The dashboard
JSON lacks a stable "uid" which causes Grafana to create duplicates on
re-provisioning; add a top-level "uid" property (e.g., a short stable identifier
like "ecommerce-metrics" or a generated UUID) alongside "title": "E-commerce
Metrics" and "schemaVersion": 39 so the dashboard is updated in-place rather
than recreated; ensure the uid is permanent and unique within the Grafana
instance so other dashboards or links can reliably reference this dashboard.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.env.example:
- Line 29: Replace the literal default value "admin" for GRAFANA_ADMIN_PASSWORD
in .env.example with a neutral placeholder (e.g.,
GRAFANA_ADMIN_PASSWORD=YOUR_SECURE_PASSWORD_HERE) to avoid encouraging
copy-paste of insecure credentials; also ensure the accompanying
GRAFANA_ADMIN_USER comment or value suggests a non-default admin username or
placeholder to discourage using "admin" in staging/production.

In `@compose.yml`:
- Line 9: Replace optional ${VAR} expansions with the required-variable form so
Compose fails fast when mandatory env vars are missing: update the port mapping
"127.0.0.1:${API_PORT}:3000" and every other occurrence called out (lines
referencing API_PORT, DB_*, RABBITMQ_*, GRAFANA_ADMIN_USER,
GRAFANA_ADMIN_PASSWORD) to use the required-syntax (e.g., change ${API_PORT} to
${API_PORT?API_PORT is required} or similar required-variable form supported by
Compose) so container startup will error immediately if those env vars are
unset.

In `@docs/task-9-ci-cd.md`:
- Line 26: Update the two documented deploy commands that currently read "docker
compose -f compose.yml -p stage up -d" and "docker compose -f compose.yml -p
prod up -d" to match the CI/CD workflows by adding the missing profile flag so
they become "docker compose -f compose.yml --profile seed -p stage up -d" and
"docker compose -f compose.yml --profile seed -p prod up -d".

In `@grafana/provisioning/dashboards/dashboard.yml`:
- Around line 12-19: The grafana dashboard provider "rabbitmq-overview" is
configured to use the same options.path as "metrics-baseline", causing duplicate
loading and UID conflicts; fix by either removing the "rabbitmq-overview"
provider entry or changing its options.path to a separate subdirectory (e.g.,
set the "rabbitmq-overview" provider's options.path to
/etc/grafana/dashboards/rabbitmq-overview and ensure the dashboard JSON is moved
there) so each provider points to a unique directory and no JSON is processed
twice.

In `@src/metrics/metrics.controller.ts`:
- Around line 9-14: The /metrics endpoint currently uses `@Public`() on the
metrics() method (in metrics.controller.ts) which exposes sensitive runtime and
business metrics; replace `@Public`() with an appropriate protection: remove the
`@Public`() decorator and annotate the metrics() method with a guard that enforces
a shared-secret header or network-origin check (e.g., add
`@UseGuards`(SharedSecretGuard) or `@UseGuards`(NetworkOriginGuard) and implement
that guard to validate a configured header or IP/CIDR), or alternatively move
metrics() into a separate server/port only reachable by Prometheus; ensure
metricsService.getMetricsText() remains unchanged but is only invocable when the
guard passes.

In `@src/metrics/metrics.interceptor.ts`:
- Around line 33-35: The route label currently uses request.route?.path ||
request.url || "unknown" which lets raw request.url create unbounded Prometheus
cardinality; in the intercept method of MetricsInterceptor (where the local
variable route is computed) remove the request.url fallback and default to a
fixed token like "unknown" (e.g., use request.route?.path ?? "unknown") so only
the parameterized path or the constant "unknown" is recorded as the route label.

In `@src/rabbit-mq/rabbit-mq.service.ts`:
- Around line 84-98: The metrics currently treat sendToQueue() returning false
(backpressure) as an "error"; update the publish logic in sendToQueue() handling
so that when this.getChannel().sendToQueue(...) returns false you call
this.metricsService.incrementRabbitMqMessagePublished(queue, "buffer_full")
instead of "error" while still returning the result, and keep the catch block to
record real exceptions as "error"; also update the MessageResult union (or
create a new PublishResult) in metrics.service.ts to include "buffer_full" so
the metric type is valid (references: sendToQueue(),
this.metricsService.incrementRabbitMqMessagePublished, MessageResult in
metrics.service.ts).

---

Outside diff comments:
In `@src/orders/orders.service.ts`:
- Around line 98-104: The metrics increment is recorded before publishing,
causing double/conflicting counts if rabbitmq.send throws; change handleNewOrder
so the publish succeeds before recording success: make handleNewOrder async (if
not already), await this.rabbitmq.send("orders.process", new
ProcessOrderMessageDto(order.id, order.id)), then call
this.metricsService.incrementOrderCreated("success") after the awaited send;
keep the logger.log as appropriate and do not increment on failures (let
existing outer catch record "error").

---

Nitpick comments:
In @.env.example:
- Around line 26-29: The dotenv keys in .env.example are out of alphabetical
order; reorder the four variables so they follow dotenv-linter's expected
alphabetical grouping: GRAFANA_ADMIN_PASSWORD, GRAFANA_ADMIN_USER, GRAFANA_PORT,
PROMETHEUS_PORT — update the block containing PROMETHEUS_PORT, GRAFANA_PORT,
GRAFANA_ADMIN_USER, GRAFANA_ADMIN_PASSWORD to that alphabetical sequence,
preserving values but changing only the key order.

In `@grafana/dashboards/metrics-baseline.json`:
- Around line 1-9: The dashboard JSON lacks a stable "uid" which causes Grafana
to create duplicates on re-provisioning; add a top-level "uid" property (e.g., a
short stable identifier like "ecommerce-metrics" or a generated UUID) alongside
"title": "E-commerce Metrics" and "schemaVersion": 39 so the dashboard is
updated in-place rather than recreated; ensure the uid is permanent and unique
within the Grafana instance so other dashboards or links can reliably reference
this dashboard.

In `@grafana/provisioning/datasources/datasource.yml`:
- Around line 1-7: Add a stable uid to the Prometheus datasource so
dashboards/reference by UID won't break on fresh deploys: update the datasource
block (the entry with name: Prometheus and type: prometheus) to include a uid
field with a deterministic value (e.g. "prometheus" or "prometheus-main") and
ensure any dashboard placeholders or references (e.g. ${DS_PROMETHEUS} or
hardcoded UIDs) point to that uid.

In `@prometheus/prometheus.yml`:
- Around line 1-2: The global scrape_interval is set to 5s which is more
frequent than Prometheus default; change the global.scrape_interval value from
5s to 15s to reduce TSDB load, and if you need higher resolution for specific
targets, add per-job scrape_interval overrides (e.g., set the API job's
scrape_interval to 5s and keep RabbitMQ jobs at 15s or higher) by editing the
job definitions in prometheus.yml.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4fd099d0-ab7a-4a14-9946-0ff1c3ef581f

📥 Commits

Reviewing files that changed from the base of the PR and between 7ce96c8 and 0e9e738.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (30)

• .dockerignore
• .env.example
• .github/workflows/build-and-stage.yml
• .github/workflows/deploy-prod.yml
• README.md
• compose.dev.yml
• compose.prod.yml
• compose.yml
• docs/task-9-ci-cd.md
• grafana/dashboards/metrics-baseline.json
• grafana/dashboards/rabbitmq-overview.json
• grafana/provisioning/dashboards/dashboard.yml
• grafana/provisioning/datasources/datasource.yml
• package.json
• prometheus/prometheus.yml
• rabbitmq/enabled_plugins
• src/app.module.ts
• src/metrics/metrics.controller.ts
• src/metrics/metrics.interceptor.ts
• src/metrics/metrics.module.ts
• src/metrics/metrics.service.ts
• src/orders/create-order.dto.ts
• src/orders/orders-worker.service.spec.ts
• src/orders/orders-worker.service.ts
• src/orders/orders.module.ts
• src/orders/orders.service.spec.ts
• src/orders/orders.service.ts
• src/rabbit-mq/rabbit-mq.module.ts
• src/rabbit-mq/rabbit-mq.service.spec.ts
• src/rabbit-mq/rabbit-mq.service.ts

💤 Files with no reviewable changes (1)

• compose.prod.yml