feat(mcp-server): add prometheus metrics endpoint

[kvz]

Summary

• expose /metrics for mcp-server HTTP and Express
• add prom-client default metrics and config for metricsPath
• add e2e test coverage and docs

Testing

• corepack yarn check
• vitest run packages/mcp-server/test/e2e/metrics.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fdfb025468

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Require auth on the raw HTTP metrics endpoint

The metrics branch short‑circuits before mcpHandler, so it never applies the bearer token check that createMcpRequestHandler enforces for MCP requests. In deployments where mcpToken is required (e.g., non‑localhost binds), /metrics is still publicly readable and exposes process/runtime metrics to unauthenticated callers. Consider reusing the token check (or a separate metrics token) before returning metrics.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Require auth on the Express metrics endpoint

The Express router adds GET/HEAD handlers for metricsPath without any of the MCP auth/CORS checks, so a configured mcpToken does not protect the metrics route. If this router is mounted on a public host, anyone can scrape runtime/process metrics. Consider applying the same auth check as the MCP handler (or a dedicated metrics token) before responding.

Useful? React with 👍 / 👎.