OpenMetrics endpoint names private scopes
The intention of the metrics endpoint was to not leak private data, but it names private scopes.
The spec:
Security
The goal of the endpoint is to be public, and not leak anything private going on in private workspaces or scopes.
It will leak the type and quantity of tasks in queues, which could be used to determine something about what's happening in private workspaces. The hope would be that if there's enough happening on a debusine instance, the noise would drown out any ability to infer what is being executed from these metrics.
The endpoint is not scoped, as we're interested in system-wide statistics. It would probably work perfectly as a scoped endpoint, so if a scoped token is supplied, it could filter to that scope. (This is not a requirement, it is out of scope.) Workers tend not to be scoped, so they'd have the same values across scopes.
The endpoint doesn't need to require any auth, but if performance is an issue, it may be necessary to require auth, or to cache the response for a short amount of time (maybe 30 seconds).
We changed from workspace to scope labeling late in the spec design, so this was missed. I think we should just count up all the activity from all private scopes under the label "scope=_private" (valid scope names can't start with _).