Extend StatsDataProvider coverage to /report, /timeseries, and /metrics endpoints

Co-authored-by: luisgizirian <598685+luisgizirian@users.noreply.github.com>

Author: Copilot

README.md

@@ -1262,7 +1262,7 @@ Ops Defender provides **four extensibility points** that allow external code to
 1. **RequestPreHandler** - Intercept requests **before** processing (early bypass)
 2. **PatternAnalyzer** - Inject custom pattern detection **during** deferred analysis
 3. **RequestPostHandler** - Intercept requests **after** processing, before response (override decisions)
-4. **StatsDataProvider** - Contribute custom data **to** `/stats` and `/events` responses
+4. **StatsDataProvider** - Contribute custom data **to all informational endpoints** (`/stats`, `/report`, `/timeseries`, `/metrics`, `/events`)
 
 ### Extension Point 1: RequestPreHandler (Pre-Request Bypass)
 
@@ -1894,23 +1894,37 @@ Ops Defender's four extension points provide complete request lifecycle and obse
 1. **PreHandler** - Early bypass (before any processing)
 2. **PatternAnalyzer** - Custom detection (during deferred analysis)
 3. **PostHandler** - Final override (after processing, before response)
-4. **StatsDataProvider** - Custom data in `/stats` and `/events` responses
+4. **StatsDataProvider** - Custom data in all informational endpoints (`/stats`, `/report`, `/timeseries`, `/metrics`, `/events`)
 
 This architecture enables complete customization without modifying core code.
 
 ### Extension Point 4: StatsDataProvider (Custom Queryable Data)
 
-Allows extensions to contribute custom data to the `/stats` and `/events` endpoints. Data is namespaced by provider name under an `"extensions"` key, so multiple providers cannot conflict with each other or with core fields.
+Allows extensions to contribute custom data to **all informational endpoints**. Register once — your data appears across `/stats`, `/report`, `/timeseries`, `/events` (SSE), and `/metrics` (Prometheus) without creating per-extension routes.
+
+Data is namespaced by provider name under an `"extensions"` key in JSON responses. In `/metrics`, numeric values are exposed as Prometheus gauges named `ops_defender_extension_<provider>_<key>`. Non-numeric values are skipped in the Prometheus output.
+
+**Covered endpoints:**
+
+| Endpoint | Format | How extension data appears |
+|----------|--------|---------------------------|
+| `/stats` | JSON | `"extensions": { "<name>": { ... } }` |
+| `/report` | JSON | `"extensions": { "<name>": { ... } }` |
+| `/timeseries` | JSON | `"extensions": { "<name>": { ... } }` |
+| `/events` | SSE JSON | `"extensions": { "<name>": { ... } }` in `stats_update` events |
+| `/metrics` | Prometheus text | `ops_defender_extension_<name>_<key> <numeric_value>` |
 
 **Use Cases:**
-- Expose extension-specific counters or state via the existing `/stats` endpoint
+- Expose extension-specific counters or state via existing endpoints
 - Include custom metrics in the real-time `/events` SSE stream
-- Provide per-extension diagnostics to operators without creating per-extension endpoints
+- Surface extension data in Prometheus/Grafana dashboards
+- Provide per-extension diagnostics in periodic reports
 
 **Interface:**
 ```go
 type StatsDataProvider interface {
-    // GetStats returns custom key-value data included in /stats and /events responses.
+    // GetStats returns custom key-value data included in all informational endpoint responses.
+    // Numeric values are also emitted as Prometheus gauges in /metrics.
     // Called on the response path - keep it fast (use cached/in-memory data).
     GetStats() (map[string]interface{}, error)
 
@@ -1938,6 +1952,20 @@ type StatsDataProvider interface {
 }
 ```
 
+**Prometheus `/metrics` output** (numeric values only):
+```text
+# HELP ops_defender_extension_sql_injection_detector_sql_attempts_detected Extension metric from sql-injection-detector
+# TYPE ops_defender_extension_sql_injection_detector_sql_attempts_detected gauge
+ops_defender_extension_sql_injection_detector_sql_attempts_detected 42
+
+# HELP ops_defender_extension_geo_blocker_blocked_by_geo Extension metric from geo-blocker
+# TYPE ops_defender_extension_geo_blocker_blocked_by_geo gauge
+ops_defender_extension_geo_blocker_blocked_by_geo 7
+```
+
+> Metric names are auto-sanitized: hyphens and spaces → underscores, lowercased.
+> String/boolean values are silently skipped in Prometheus output but still appear in JSON responses.
+
 **Example Implementation:**
 ```go
 type SQLInjectionStats struct {
@@ -1953,7 +1981,7 @@ func (s *SQLInjectionStats) GetStats() (map[string]interface{}, error) {
     defer s.mu.Unlock()
     return map[string]interface{}{
         "sql_attempts_detected": s.attempts,
-        "last_detected_ip":      s.lastIP,
+        "last_detected_ip":      s.lastIP, // appears in JSON; skipped in Prometheus
     }, nil
 }
 

pkg/defender/defender.go

@@ -1450,14 +1450,15 @@ func (d *Defender) GetStats(w http.ResponseWriter, r *http.Request) {
 }
 
 type Report struct {
-	GeneratedAt      string               `json:"generated_at"`
-	Period           string               `json:"period"`
-	TotalRequests    int64                `json:"total_requests"`
-	BlockedRequests  int64                `json:"blocked_requests"`
-	UniqueIPs        int                  `json:"unique_ips"`
-	BlockedIPs       int                  `json:"blocked_ips_count"`
-	BlockEvents      []storage.BlockEvent `json:"block_events"`
-	TopSuspiciousIPs []IPStats            `json:"top_suspicious_ips"`
+	GeneratedAt      string                 `json:"generated_at"`
+	Period           string                 `json:"period"`
+	TotalRequests    int64                  `json:"total_requests"`
+	BlockedRequests  int64                  `json:"blocked_requests"`
+	UniqueIPs        int                    `json:"unique_ips"`
+	BlockedIPs       int                    `json:"blocked_ips_count"`
+	BlockEvents      []storage.BlockEvent   `json:"block_events"`
+	TopSuspiciousIPs []IPStats              `json:"top_suspicious_ips"`
+	Extensions       map[string]interface{} `json:"extensions,omitempty"`
 }
 
 func (d *Defender) GenerateReport(periodHours int) Report {
@@ -1520,6 +1521,9 @@ func (d *Defender) GenerateReport(periodHours int) Report {
 		}
 	}
 
+	// Collect data from registered StatsDataProviders
+	report.Extensions = d.collectExtensionStats()
+
 	return report
 }
 

pkg/defender/defender_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -2397,3 +2398,224 @@ if _, exists := raw["extensions"]; exists {
 t.Error("Expected 'extensions' field to be absent when no providers registered")
 }
 }
+
+func TestDefender_GetReport_IncludesExtensions(t *testing.T) {
+d := newTestDefender()
+
+d.RegisterStatsProvider(&mockStatsDataProvider{
+name: "report-ext",
+data: map[string]interface{}{"report_metric": 7},
+})
+
+req := httptest.NewRequest("GET", "/report?period=1", nil)
+w := httptest.NewRecorder()
+d.GetReport(w, req)
+
+if w.Code != http.StatusOK {
+t.Fatalf("Expected 200, got %d", w.Code)
+}
+
+var report Report
+if err := json.NewDecoder(w.Body).Decode(&report); err != nil {
+t.Fatalf("Failed to decode report: %v", err)
+}
+
+if report.Extensions == nil {
+t.Fatal("Expected extensions field to be non-nil")
+}
+
+extData, ok := report.Extensions["report-ext"]
+if !ok {
+t.Fatal("Expected 'report-ext' key in extensions")
+}
+
+dataMap, ok := extData.(map[string]interface{})
+if !ok {
+t.Fatalf("Expected map, got %T", extData)
+}
+
+if dataMap["report_metric"] != float64(7) {
+t.Errorf("Expected report_metric=7, got %v", dataMap["report_metric"])
+}
+}
+
+func TestDefender_GetReport_NoExtensions_OmitsField(t *testing.T) {
+d := newTestDefender()
+
+req := httptest.NewRequest("GET", "/report?period=1", nil)
+w := httptest.NewRecorder()
+d.GetReport(w, req)
+
+if w.Code != http.StatusOK {
+t.Fatalf("Expected 200, got %d", w.Code)
+}
+
+var raw map[string]interface{}
+if err := json.NewDecoder(w.Body).Decode(&raw); err != nil {
+t.Fatalf("Failed to decode report: %v", err)
+}
+
+if _, exists := raw["extensions"]; exists {
+t.Error("Expected 'extensions' field to be absent when no providers registered")
+}
+}
+
+func TestDefender_MetricsHandler_IncludesExtensions(t *testing.T) {
+d := newTestDefender()
+
+d.RegisterStatsProvider(&mockStatsDataProvider{
+name: "my-provider",
+data: map[string]interface{}{
+"hit_count":   int64(123),
+"string_skip": "ignored",
+},
+})
+
+req := httptest.NewRequest("GET", "/metrics", nil)
+w := httptest.NewRecorder()
+d.MetricsHandler(w, req)
+
+if w.Code != http.StatusOK {
+t.Fatalf("Expected 200, got %d", w.Code)
+}
+
+body := w.Body.String()
+
+// Numeric value should appear as a Prometheus gauge
+if !strings.Contains(body, "ops_defender_extension_my_provider_hit_count") {
+t.Errorf("Expected extension metric 'ops_defender_extension_my_provider_hit_count' in output, got:\n%s", body)
+}
+
+// String values must be skipped
+if strings.Contains(body, "string_skip") {
+t.Errorf("Expected string value to be skipped, but found 'string_skip' in output")
+}
+}
+
+func TestDefender_MetricsHandler_NoExtensions_NoExtraOutput(t *testing.T) {
+d := newTestDefender()
+
+req := httptest.NewRequest("GET", "/metrics", nil)
+w := httptest.NewRecorder()
+d.MetricsHandler(w, req)
+
+body := w.Body.String()
+
+if strings.Contains(body, "ops_defender_extension_") {
+t.Errorf("Expected no extension metrics with no providers, but found some in output:\n%s", body)
+}
+}
+
+func TestDefender_TimeSeriesHandler_IncludesExtensions(t *testing.T) {
+d := newTestDefender()
+
+d.RegisterStatsProvider(&mockStatsDataProvider{
+name: "ts-ext",
+data: map[string]interface{}{"ts_counter": 55},
+})
+
+req := httptest.NewRequest("GET", "/timeseries?period=1&interval=1h", nil)
+w := httptest.NewRecorder()
+d.TimeSeriesHandler(w, req)
+
+if w.Code != http.StatusOK {
+t.Fatalf("Expected 200, got %d", w.Code)
+}
+
+var resp TimeSeriesResponse
+if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+t.Fatalf("Failed to decode timeseries response: %v", err)
+}
+
+if resp.Extensions == nil {
+t.Fatal("Expected extensions field to be non-nil")
+}
+
+extData, ok := resp.Extensions["ts-ext"]
+if !ok {
+t.Fatal("Expected 'ts-ext' key in extensions")
+}
+
+dataMap, ok := extData.(map[string]interface{})
+if !ok {
+t.Fatalf("Expected map, got %T", extData)
+}
+
+if dataMap["ts_counter"] != float64(55) {
+t.Errorf("Expected ts_counter=55, got %v", dataMap["ts_counter"])
+}
+}
+
+func TestDefender_TimeSeriesHandler_NoExtensions_OmitsField(t *testing.T) {
+d := newTestDefender()
+
+req := httptest.NewRequest("GET", "/timeseries?period=1&interval=1h", nil)
+w := httptest.NewRecorder()
+d.TimeSeriesHandler(w, req)
+
+if w.Code != http.StatusOK {
+t.Fatalf("Expected 200, got %d", w.Code)
+}
+
+var raw map[string]interface{}
+if err := json.NewDecoder(w.Body).Decode(&raw); err != nil {
+t.Fatalf("Failed to decode timeseries response: %v", err)
+}
+
+if _, exists := raw["extensions"]; exists {
+t.Error("Expected 'extensions' field to be absent when no providers registered")
+}
+}
+
+func TestSanitizePrometheusName(t *testing.T) {
+tests := []struct {
+input    string
+expected string
+}{
+{"my-provider", "my_provider"},
+{"My Provider", "my_provider"},
+{"hit.count", "hit_count"},
+{"sql-injection-detector", "sql_injection_detector"},
+{"already_valid", "already_valid"},
+{"has spaces", "has_spaces"},
+}
+
+for _, tt := range tests {
+t.Run(tt.input, func(t *testing.T) {
+got := sanitizePrometheusName(tt.input)
+if got != tt.expected {
+t.Errorf("sanitizePrometheusName(%q) = %q, want %q", tt.input, got, tt.expected)
+}
+})
+}
+}
+
+func TestToFloat64(t *testing.T) {
+tests := []struct {
+input    interface{}
+expected float64
+ok       bool
+}{
+{int(42), 42.0, true},
+{int32(10), 10.0, true},
+{int64(100), 100.0, true},
+{float32(3.14), float64(float32(3.14)), true},
+{float64(2.71), 2.71, true},
+{uint(5), 5.0, true},
+{uint32(7), 7.0, true},
+{uint64(9), 9.0, true},
+{"string", 0, false},
+{true, 0, false},
+{nil, 0, false},
+}
+
+for _, tt := range tests {
+got, ok := toFloat64(tt.input)
+if ok != tt.ok {
+t.Errorf("toFloat64(%v): ok=%v, want %v", tt.input, ok, tt.ok)
+}
+if ok && got != tt.expected {
+t.Errorf("toFloat64(%v) = %v, want %v", tt.input, got, tt.expected)
+}
+}
+}