feat: add collapse_request_paths_depth config option

[kalEl2001]

Related issue(s)

#1212

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.com) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

Add collapse_request_paths_depth configuration to control how many path
segments are included in Prometheus metrics labels.

Previously, collapse_request_paths: true would always collapse to just the
first path segment (e.g. /decisions/service/foo → /decisions). This change
introduces collapse_request_paths_depth (default: 1) so operators can
include more segments without exposing full dynamic paths
(e.g. with depth 2: /decisions/service/foo → /decisions/service).

I also have created a PR in the docs repo. Please check this PR.

Summary by CodeRabbit

• New Features
  • Added configurable collapse_request_paths_depth for Prometheus metrics, letting you control how many leading path segments are kept when request paths are collapsed.
  • Default value is 1; the setting applies to served metrics so collapsed request labels include the first N path segments.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a new Prometheus configuration option collapse_request_paths_depth that enables fine-tuning of request path collapsing granularity. The setting is threaded through configuration schemas, provider interfaces, middleware implementation, and server initialization to allow operators to control how many leading path segments are retained when collapsing request paths for Prometheus metrics labels.

Changes

Prometheus Request Path Collapsing Depth

Layer / File(s)	Summary
Configuration schema and provider contract .schema/config.schema.json, spec/config.schema.json, driver/configuration/config_keys.go, driver/configuration/provider.go	JSON schemas define collapse_request_paths_depth as an integer with default 1; config key constant and Provider interface method expose the new setting.
Configuration provider implementation and example driver/configuration/provider_koanf.go, driver/configuration/provider_koanf_public_test.go, internal/config/.oathkeeper.yaml	KoanfProvider accessor reads the setting with default 1, provider test verifies the value, and example config demonstrates the option.
Metrics middleware path collapsing with configurable depth metrics/middleware.go	Middleware struct tracks collapsePathsDepth field; CollapsePaths method accepts depth parameter and updates it under lock; new getFirstNPathSegments helper extracts first N path segments; ServeHTTP applies configured depth when collapsing paths.
Middleware test coverage for configurable depth metrics/middleware_test.go	Test parameter tables include collapsePathsDepth; existing tests invoke CollapsePaths with depth; new TestMiddlewareGetFirstNPathSegments validates path segmentation across depths 1–3.
Server configuration wiring cmd/server/server.go	Proxy and API server initialization retrieve PrometheusCollapseRequestPathsDepth from configuration and pass it to middleware CollapsePaths calls.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description includes the related issue (#1212), provides clear context about the feature, explains the motivation, includes a link to documentation changes, and all checklist items are completed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new configuration option for controlling the depth of request path collapsing in Prometheus metrics.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.schema/config.schema.json (1)

1260-1264: ⚡ Quick win

Enforce a positive lower bound for collapse_request_paths_depth.

The description says this is only meaningful for values greater than 0, but the schema currently accepts 0 and negatives. Add a lower bound to reject invalid config early.

Suggested patch

             "collapse_request_paths_depth": {
               "type": "integer",
+              "minimum": 1,
               "default": 1,
               "title": "CollapsePathsDepth",
               "description": "When set to a value greater than 0 the request label will include the first N segments of the request path"
             }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.schema/config.schema.json around lines 1260 - 1264, The schema property
"collapse_request_paths_depth" currently allows 0 and negative integers despite
the description requiring values > 0; add a validation lower bound by adding
"minimum": 1 to the "collapse_request_paths_depth" property in the JSON schema
so configs with 0 or negatives are rejected early (keep the existing "type",
"default", "title", and "description" intact).

spec/config.schema.json (1)

1260-1264: ⚡ Quick win

Mirror the positive lower bound for collapse_request_paths_depth here as well.

This schema copy should also enforce >= 1 so invalid values are rejected consistently.

Suggested patch

             "collapse_request_paths_depth": {
               "type": "integer",
+              "minimum": 1,
               "default": 1,
               "title": "CollapsePathsDepth",
               "description": "When set to a value greater than 0 the request label will include the first N segments of the request path"
             }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/config.schema.json` around lines 1260 - 1264, The JSON schema property
"collapse_request_paths_depth" currently has "type", "default", "title", and
"description" but lacks a lower bound; add a "minimum": 1 to that property so
the schema enforces values >= 1 (mirror the lower bound used elsewhere) ensuring
invalid values are rejected consistently for "collapse_request_paths_depth".

driver/configuration/provider_koanf_public_test.go (1)

167-172: ⚡ Quick win

Add one non-default override case for the new getter.

Current coverage validates only the default value from fixture config. Add a direct override assertion to verify the accessor wiring for configured values.

Suggested test addition

 		t.Run("group=prometheus", func(t *testing.T) {
 			assert.Equal(t, "localhost:9000", p.PrometheusServeAddress())
 			assert.Equal(t, "/metrics", p.PrometheusMetricsPath())
 			assert.Equal(t, true, p.PrometheusCollapseRequestPaths())
 			assert.Equal(t, 1, p.PrometheusCollapseRequestPathsDepth())
+
+			p.SetForTest(t, configuration.PrometheusServeCollapseRequestPathsDepth, 3)
+			assert.Equal(t, 3, p.PrometheusCollapseRequestPathsDepth())
 		})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@driver/configuration/provider_koanf_public_test.go` around lines 167 - 172,
Add a new subtest in provider_koanf_public_test.go that sets non-default values
and asserts the new getters return those overrides: call the provider (p) with
an explicit override config for PrometheusServeAddress, PrometheusMetricsPath,
PrometheusCollapseRequestPaths, and PrometheusCollapseRequestPathsDepth and
assert the returned values from PrometheusServeAddress(),
PrometheusMetricsPath(), PrometheusCollapseRequestPaths(), and
PrometheusCollapseRequestPathsDepth() match the overridden inputs to verify
accessor wiring for configured values.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@metrics/middleware.go`:
- Around line 76-80: CollapsePaths accepts any depth and writes without
validating, and ServeHTTP reads shared fields without using RLock; validate the
depth in CollapsePaths (e.g., ensure depth > 0 and clamp or set a sane default)
before acquiring the write lock and setting m.collapsePathsDepth, and in
ServeHTTP wrap all reads of m.silencePaths, m.hidePaths, m.collapsePaths, and
m.collapsePathsDepth with m.mutex.RLock()/RUnlock() to avoid concurrent-access
races (also apply the same RLock protection to the other read sites mentioned
around ServeHTTP and the blocks at the ranges noted).

---

Nitpick comments:
In @.schema/config.schema.json:
- Around line 1260-1264: The schema property "collapse_request_paths_depth"
currently allows 0 and negative integers despite the description requiring
values > 0; add a validation lower bound by adding "minimum": 1 to the
"collapse_request_paths_depth" property in the JSON schema so configs with 0 or
negatives are rejected early (keep the existing "type", "default", "title", and
"description" intact).

In `@driver/configuration/provider_koanf_public_test.go`:
- Around line 167-172: Add a new subtest in provider_koanf_public_test.go that
sets non-default values and asserts the new getters return those overrides: call
the provider (p) with an explicit override config for PrometheusServeAddress,
PrometheusMetricsPath, PrometheusCollapseRequestPaths, and
PrometheusCollapseRequestPathsDepth and assert the returned values from
PrometheusServeAddress(), PrometheusMetricsPath(),
PrometheusCollapseRequestPaths(), and PrometheusCollapseRequestPathsDepth()
match the overridden inputs to verify accessor wiring for configured values.

In `@spec/config.schema.json`:
- Around line 1260-1264: The JSON schema property "collapse_request_paths_depth"
currently has "type", "default", "title", and "description" but lacks a lower
bound; add a "minimum": 1 to that property so the schema enforces values >= 1
(mirror the lower bound used elsewhere) ensuring invalid values are rejected
consistently for "collapse_request_paths_depth".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4b433253-52b4-48c8-9aa0-352399081376

📥 Commits

Reviewing files that changed from the base of the PR and between 18212fc and 5439469.

📒 Files selected for processing (10)

• .schema/config.schema.json
• cmd/server/server.go
• driver/configuration/config_keys.go
• driver/configuration/provider.go
• driver/configuration/provider_koanf.go
• driver/configuration/provider_koanf_public_test.go
• internal/config/.oathkeeper.yaml
• metrics/middleware.go
• metrics/middleware_test.go
• spec/config.schema.json