SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
11 KiB
Gateway Metrics
The metrics subsystem exposes counters, histograms, and observable gauges that describe gateway throughput, queue health, and worker lifecycle. Both the System.Diagnostics.Metrics pipeline and the in-memory GatewayMetricsSnapshot consume the same underlying state, so external collectors and the dashboard see consistent numbers.
Overview
GatewayMetrics is a singleton (registered in GatewayApplication.cs) that owns a single Meter named ZB.MOM.WW.MxGateway and a set of synchronised counters, histograms, and observable gauges. Subsystems call typed mutator methods (SessionOpened, CommandFailed, EventReceived, etc.) rather than touching the Meter directly, which keeps the OpenTelemetry instrument names and tag conventions in one place. A lock (_syncRoot) block guards the scalar fields used by GetSnapshot, while per-event maps use ConcurrentDictionary<string, long> so the hot event path avoids the lock.
Meter and OpenTelemetry Compatibility
The meter name is exposed as a constant so that hosting code can register it with an OpenTelemetry exporter:
public sealed class GatewayMetrics : IDisposable
{
public const string MeterName = "ZB.MOM.WW.MxGateway";
public GatewayMetrics()
{
_meter = new Meter(MeterName, typeof(GatewayMetrics).Assembly.GetName().Version?.ToString());
_sessionsOpenedCounter = _meter.CreateCounter<long>("mxgateway.sessions.opened");
...
}
}
The meter version is the gateway assembly version, which gives exporters a stable identifier per build. All instrument names use the dotted mxgateway.<area>.<event> convention so they group cleanly under a single namespace in tools such as Prometheus, OTLP collectors, or dotnet-counters.
Instrument Inventory
Counters
All counters are Counter<long>. Tag values come from the call sites listed under Recording Sites.
| Instrument | Tags | What it measures |
|---|---|---|
mxgateway.sessions.opened |
none | Successful SessionManager.OpenSession completions. |
mxgateway.sessions.closed |
none | Sessions closed cleanly via SessionManager. |
mxgateway.commands.started |
method |
Command dispatches initiated by WorkerClient. |
mxgateway.commands.succeeded |
method |
Commands acknowledged with success by the worker. |
mxgateway.commands.failed |
method, category |
Command failures, where category is the WorkerClientErrorCode or exception type name. |
mxgateway.events.received |
family |
Worker events accepted into the event pipeline. |
mxgateway.queues.overflows |
queue |
Drops when a bounded queue rejects a message (e.g. grpc-event-stream). |
mxgateway.faults |
category |
Faults reported by session, event, or worker code paths. The category is a SessionManagerErrorCode or WorkerClientErrorCode name. |
mxgateway.workers.killed |
reason |
Forced terminations of worker processes. |
mxgateway.workers.exited |
reason |
Clean or fault-driven worker exits. |
mxgateway.heartbeats.failed |
session_id |
Worker heartbeat misses tracked per session. |
mxgateway.grpc.streams.disconnected |
reason |
Detachments of the dashboard or client gRPC event stream. |
mxgateway.retries.attempted |
area |
Resilience retries executed by gateway components. |
Histograms
Histograms record durations in seconds (the unit argument on CreateHistogram):
_workerStartupLatencyHistogram = _meter.CreateHistogram<double>("mxgateway.workers.startup.duration", "s");
_commandLatencyHistogram = _meter.CreateHistogram<double>("mxgateway.commands.duration", "s");
_eventStreamSendLatencyHistogram = _meter.CreateHistogram<double>("mxgateway.events.stream_send.duration", "s");
| Instrument | Tags | What it measures |
|---|---|---|
mxgateway.workers.startup.duration |
none | Time from WorkerClient launch to worker-ready. |
mxgateway.commands.duration |
method, optional category |
Command round-trip time. The category tag is added on failure so success and failure latencies stay distinguishable. |
mxgateway.events.stream_send.duration |
family |
Time spent writing each public event to the gRPC response stream in MxAccessGatewayService.StreamEvents. |
Observable gauges
Observable gauges are pull-based; the Meter invokes the supplied callback whenever a listener samples it. Each callback re-acquires _syncRoot so the gauge value matches the snapshot taken at the same instant.
| Instrument | Source field | Description |
|---|---|---|
mxgateway.sessions.open |
_openSessions |
Currently open sessions tracked by SessionManager. |
mxgateway.workers.running |
_workersRunning |
Worker clients in a running state. |
mxgateway.events.worker_queue.depth |
_workerEventQueueDepth |
Last reported depth of the worker-side event queue. |
mxgateway.events.grpc_stream_queue.depth |
_grpcEventStreamQueueDepth |
Backlog held by EventStreamService for the active gRPC stream consumer. |
Snapshot Shape
GatewayMetricsSnapshot is the immutable view of the same state, returned by GatewayMetrics.GetSnapshot() while holding _syncRoot. The dictionaries are copied so the caller can iterate without further synchronisation. The dashboard service is the primary consumer.
public sealed record GatewayMetricsSnapshot(
int OpenSessions,
int WorkersRunning,
int WorkerEventQueueDepth,
int GrpcEventStreamQueueDepth,
long SessionsOpened,
long SessionsClosed,
long CommandsStarted,
long CommandsSucceeded,
long CommandsFailed,
long EventsReceived,
long QueueOverflows,
long Faults,
long WorkerKills,
long WorkerExits,
long HeartbeatFailures,
long StreamDisconnects,
long RetryAttempts,
IReadOnlyDictionary<string, long> CommandFailuresByMethod,
IReadOnlyDictionary<string, long> EventsByFamily,
IReadOnlyDictionary<string, long> EventsBySession,
IReadOnlyDictionary<string, long> RetryAttemptsByArea);
The scalar fields mirror the counters and gauges. The four dictionaries provide the breakdowns that counter tags would otherwise require an exporter to aggregate:
CommandFailuresByMethodkeys by gRPC method name.EventsByFamilykeys by event family (theFamilyenum on a worker event).EventsBySessionkeys bysessionId; entries are removed viaRemoveSessionEventswhen a session closes so the map does not grow without bound.RetryAttemptsByAreakeys by the resilienceareatag, e.g.worker_startup.
EventsReceived is read with Interlocked.Read(ref _eventsReceived) because EventReceived increments it via Interlocked.Increment outside the lock to keep the event-ingestion path non-blocking.
Recording Sites
The recording call sites describe the code paths that write into each instrument. This mapping makes it easier to trace an unexpected counter reading back to a subsystem.
Session manager
Sessions/SessionManager.cs emits session lifecycle and fault counters:
_metrics.SessionOpened();
...
_metrics.Fault(SessionManagerErrorCode.OpenFailed.ToString());
...
_metrics.SessionClosed();
...
_metrics.SessionRemoved();
...
_metrics.Fault(SessionManagerErrorCode.CloseFailed.ToString());
...
_metrics.RemoveSessionEvents(session.SessionId);
SessionRemoved decrements the open-session gauge without incrementing the closed counter, which covers cases where a session is evicted rather than closed by the client.
Worker client
Workers/WorkerClient.cs records command throughput, worker lifecycle, heartbeat failures, and the worker-side event queue depth:
CommandStarted(method)andCommandSucceeded(method, duration)/CommandFailed(method, category, duration)around the worker request/response pair.WorkerStarted(startupDuration)once the worker reports ready.RecordWorkerStoppedOncecallsWorkerStopped(reason)exactly once per worker, guarding against double-counting on simultaneous fault and exit signals.WorkerKilled(reason)when the client forcibly terminates the worker.HeartbeatFailed(SessionId)per missed heartbeat.SetWorkerEventQueueDepth(queueDepth)after each event ingest.EventReceived(SessionId, workerEvent.Event.Family.ToString())for each worker event.
Worker process launcher
Workers/WorkerProcessLauncher.cs records process-level kills and startup retries:
_metrics.WorkerKilled(reason);
...
_metrics.RetryAttempted("worker_startup");
The worker_startup tag is hard-coded so the RetryAttemptsByArea snapshot reports launcher retries distinctly from other resilience areas.
Session worker client factory
Sessions/SessionWorkerClientFactory.cs records the worker kill that follows a failed OpenSession handshake:
_metrics.WorkerKilled("OpenSessionFailed");
This is the only fault path where the factory itself owns the kill decision; once the worker is bound to a session, the WorkerClient becomes responsible for lifecycle metrics.
gRPC event stream service
Grpc/EventStreamService.cs records the dashboard/client event-stream backlog and disconnect counters:
metrics.AdjustGrpcEventStreamQueueDepth(1);
...
metrics.AdjustGrpcEventStreamQueueDepth(-1);
...
metrics.AdjustGrpcEventStreamQueueDepth(-remainingDepth);
metrics.StreamDisconnected("Detached");
...
metrics.QueueOverflow("grpc-event-stream");
metrics.Fault(SessionManagerErrorCode.EventQueueOverflow.ToString());
...
metrics.Fault(WorkerClientErrorCode.WorkerFaulted.ToString());
The service tracks per-message enqueues and dequeues, so AdjustGrpcEventStreamQueueDepth updates the aggregate stream backlog. The Math.Max(0, ...) clamp inside the adjuster prevents a negative depth if the bookkeeping ever drifts.
Grpc/MxAccessGatewayService.cs records gRPC event send latency around each response-stream write:
Stopwatch stopwatch = Stopwatch.StartNew();
await responseStream.WriteAsync(publicEvent).ConfigureAwait(false);
metrics.RecordEventStreamSend(publicEvent.Family.ToString(), stopwatch.Elapsed);
Dashboard Consumption
Dashboard/DashboardSnapshotService.cs calls _metrics.GetSnapshot() once per GetSnapshot invocation and projects it into the dashboard transport types together with the session registry view. The dashboard receives a single, internally consistent snapshot per tick rather than reading individual counters at separate times. See Gateway Dashboard Design and Dashboard Interface Design for the projection rules and wire format.
Auth Store Write Churn
The per-RPC authentication path is a hidden write source: the shared verifier
refreshes last_used_utc on every authenticated call. To keep that off the
auth-store throughput ceiling, the gateway caches successful verifications for a
short TTL and coalesces the last_used_utc write to at most one per key per
window (MxGateway:Security:ApiKeyVerificationCacheSeconds /
ApiKeyLastUsedCoalesceSeconds, defaults 15 s / 60 s). This bounds WAL churn on
the bulk-read workload without dropping any metric — auth activity is still
observable via command-throughput counters and audit rows. See
Authentication.