Implement or remove /api/metrics/prometheus (PUBLIC_PATHS lists a 404)

## What to build

The auth middleware's `PUBLIC_PATHS` frozenset lists `/api/metrics/prometheus` as a public route, but the health module only defines `/api/metrics` (JSON). The Prometheus path returns 404 for everyone, including monitoring scrapers that follow the documented bypass list.

Decide: either implement the Prometheus exporter route (probably using prometheus-client text format) or drop the entry from PUBLIC_PATHS.

## Acceptance criteria

- [ ] Either `/api/metrics/prometheus` returns 200 with `text/plain; version=0.0.4` Prometheus exposition format, OR the entry is removed from PUBLIC_PATHS
- [ ] If implemented: at least one counter, one gauge, and one histogram are exposed (e.g. `hal0_requests_total`, `hal0_slot_state`, `hal0_chat_completion_latency_seconds`)
- [ ] If implemented: smoke test confirms the response parses with prometheus-client's text-format parser
- [ ] Either way: PUBLIC_PATHS and the implementation are in sync

## Blocked by

None - can start immediately

---

_Sourced from `tests/harness/FINDINGS.md` §21 (low)._

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement or remove /api/metrics/prometheus (PUBLIC_PATHS lists a 404) #36

What to build

Acceptance criteria

Blocked by

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Implement or remove /api/metrics/prometheus (PUBLIC_PATHS lists a 404) #36

Description

What to build

Acceptance criteria

Blocked by

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions