refactor: replace metrics decorator chain with HTTP middleware and Track helper

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Unified the two rate limiter store implementations (`rateLimiterStore` / `tokenRateLimiterStore`) behind a single generic `rateLimiterStore[K comparable]`; `RateLimitMiddleware` and `TokenRateLimitMiddleware` are now thin adapters over a shared factory. No behavior change.
 - Folded the `Algorithm` return value into `TransitKey.Algorithm` so `GetTransitKey` and `Get` return `(*TransitKey, error)` instead of a three-value tuple; replaced `crypto/domain.Algorithm` with `keyring.Algorithm` across transit and tokenization layers. No behavior change.
 - Collapsed `internal/crypto/{domain,repository,service,usecase}` into `internal/keyring`; all types, stores, cipher primitives, KMS adapter, and KEK use case now live in a single package. No behavior change.
+- Replaced seven shallow metrics decorator structs with a single `BusinessMetricsMiddleware` applied per-route in the HTTP server and a `metrics.Track` helper for CLI commands; added `NopBusinessMetrics` so the DI container always returns a valid recorder instead of branching on `MetricsEnabled`. No behavior change.
 
 ## [0.28.0] - 2026-03-23
 

cmd/app/auth_commands.go

@@ -44,10 +44,15 @@ func getAuthCommands() []*cli.Command {
 						if err != nil {
 							return err
 						}
+						bm, err := container.BusinessMetrics(ctx)
+						if err != nil {
+							return err
+						}
 
 						return commands.RunPurgeAuthTokens(
 							ctx,
 							tokenUseCase,
+							bm,
 							container.Logger(),
 							commands.DefaultIO().Writer,
 							int(cmd.Int("days")),
@@ -89,10 +94,15 @@ func getAuthCommands() []*cli.Command {
 						if err != nil {
 							return err
 						}
+						bm, err := container.BusinessMetrics(ctx)
+						if err != nil {
+							return err
+						}
 
 						return commands.RunCleanExpiredTokens(
 							ctx,
 							tokenizationUseCase,
+							bm,
 							container.Logger(),
 							commands.DefaultIO().Writer,
 							int(cmd.Int("days")),

cmd/app/commands/clean_expired_tokens.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"log/slog"
 
+	"github.com/allisson/secrets/internal/metrics"
 	tokenizationUseCase "github.com/allisson/secrets/internal/tokenization/usecase"
 )
 
@@ -44,6 +45,7 @@ func (r *CleanExpiredTokensResult) ToJSON() string {
 func RunCleanExpiredTokens(
 	ctx context.Context,
 	tokenizationUseCase tokenizationUseCase.TokenizationUseCase,
+	bm metrics.BusinessMetrics,
 	logger *slog.Logger,
 	writer io.Writer,
 	days int,
@@ -61,8 +63,12 @@ func RunCleanExpiredTokens(
 	)
 
 	// Execute deletion or count operation
-	count, err := tokenizationUseCase.CleanupExpired(ctx, days, dryRun)
-	if err != nil {
+	var count int64
+	if err := metrics.Track(ctx, bm, "tokenization", "tokenize_cleanup_expired", func() error {
+		var e error
+		count, e = tokenizationUseCase.CleanupExpired(ctx, days, dryRun)
+		return e
+	}); err != nil {
 		return fmt.Errorf("failed to cleanup expired tokens: %w", err)
 	}
 

cmd/app/commands/clean_expired_tokens_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/allisson/secrets/internal/metrics"
 	tokenizationMocks "github.com/allisson/secrets/internal/tokenization/usecase/mocks"
 )
 
@@ -21,7 +22,16 @@ func TestRunCleanExpiredTokens(t *testing.T) {
 		mockUseCase.On("CleanupExpired", ctx, days, false).Return(int64(100), nil)
 
 		var out bytes.Buffer
-		err := RunCleanExpiredTokens(ctx, mockUseCase, logger, &out, days, false, "text")
+		err := RunCleanExpiredTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Successfully deleted 100 expired token(s)")
@@ -33,7 +43,16 @@ func TestRunCleanExpiredTokens(t *testing.T) {
 		mockUseCase.On("CleanupExpired", ctx, days, true).Return(int64(50), nil)
 
 		var out bytes.Buffer
-		err := RunCleanExpiredTokens(ctx, mockUseCase, logger, &out, days, true, "json")
+		err := RunCleanExpiredTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			true,
+			"json",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), `"count": 50`)
@@ -43,7 +62,16 @@ func TestRunCleanExpiredTokens(t *testing.T) {
 
 	t.Run("invalid-days", func(t *testing.T) {
 		mockUseCase := &tokenizationMocks.MockTokenizationUseCase{}
-		err := RunCleanExpiredTokens(ctx, mockUseCase, logger, &bytes.Buffer{}, -1, false, "text")
+		err := RunCleanExpiredTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&bytes.Buffer{},
+			-1,
+			false,
+			"text",
+		)
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "days must be a positive number")

cmd/app/commands/purge_auth_tokens.go

@@ -8,6 +8,7 @@ import (
 	"log/slog"
 
 	"github.com/allisson/secrets/internal/auth/usecase"
+	"github.com/allisson/secrets/internal/metrics"
 )
 
 // PurgeAuthTokensResult holds the result of the authentication token purge operation.
@@ -44,6 +45,7 @@ func (r *PurgeAuthTokensResult) ToJSON() string {
 func RunPurgeAuthTokens(
 	ctx context.Context,
 	tokenUseCase usecase.TokenUseCase,
+	bm metrics.BusinessMetrics,
 	logger *slog.Logger,
 	writer io.Writer,
 	days int,
@@ -77,8 +79,12 @@ func RunPurgeAuthTokens(
 	}
 
 	// Execute purge
-	count, err := tokenUseCase.PurgeExpiredAndRevoked(ctx, days)
-	if err != nil {
+	var count int64
+	if err := metrics.Track(ctx, bm, "auth", "token_purge", func() error {
+		var e error
+		count, e = tokenUseCase.PurgeExpiredAndRevoked(ctx, days)
+		return e
+	}); err != nil {
 		return fmt.Errorf("failed to purge authentication tokens: %w", err)
 	}
 

cmd/app/commands/purge_auth_tokens_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	usecaseMocks "github.com/allisson/secrets/internal/auth/usecase/mocks"
+	"github.com/allisson/secrets/internal/metrics"
 )
 
 func TestRunPurgeAuthTokens(t *testing.T) {
@@ -21,7 +22,16 @@ func TestRunPurgeAuthTokens(t *testing.T) {
 		mockUseCase.EXPECT().PurgeExpiredAndRevoked(ctx, days).Return(int64(100), nil).Once()
 
 		var out bytes.Buffer
-		err := RunPurgeAuthTokens(ctx, mockUseCase, logger, &out, days, false, "text")
+		err := RunPurgeAuthTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Successfully purged 100 expired/revoked authentication token(s)")
@@ -32,7 +42,16 @@ func TestRunPurgeAuthTokens(t *testing.T) {
 		mockUseCase.EXPECT().PurgeExpiredAndRevoked(ctx, days).Return(int64(50), nil).Once()
 
 		var out bytes.Buffer
-		err := RunPurgeAuthTokens(ctx, mockUseCase, logger, &out, days, false, "json")
+		err := RunPurgeAuthTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"json",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), `"count": 50`)
@@ -41,7 +60,16 @@ func TestRunPurgeAuthTokens(t *testing.T) {
 
 	t.Run("invalid-days", func(t *testing.T) {
 		mockUseCase := usecaseMocks.NewMockTokenUseCase(t)
-		err := RunPurgeAuthTokens(ctx, mockUseCase, logger, &bytes.Buffer{}, -1, false, "text")
+		err := RunPurgeAuthTokens(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&bytes.Buffer{},
+			-1,
+			false,
+			"text",
+		)
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "days must be a non-negative number")

cmd/app/commands/purge_secrets.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"log/slog"
 
+	"github.com/allisson/secrets/internal/metrics"
 	secretsUseCase "github.com/allisson/secrets/internal/secrets/usecase"
 )
 
@@ -40,6 +41,7 @@ func (r *PurgeSecretsResult) ToJSON() string {
 func RunPurgeSecrets(
 	ctx context.Context,
 	secretUseCase secretsUseCase.SecretUseCase,
+	bm metrics.BusinessMetrics,
 	logger *slog.Logger,
 	writer io.Writer,
 	days int,
@@ -57,8 +59,12 @@ func RunPurgeSecrets(
 	)
 
 	// Execute purge operation
-	count, err := secretUseCase.PurgeDeleted(ctx, days, dryRun)
-	if err != nil {
+	var count int64
+	if err := metrics.Track(ctx, bm, "secrets", "secret_purge_deleted", func() error {
+		var e error
+		count, e = secretUseCase.PurgeDeleted(ctx, days, dryRun)
+		return e
+	}); err != nil {
 		return fmt.Errorf("failed to purge secrets: %w", err)
 	}
 

cmd/app/commands/purge_secrets_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/allisson/secrets/internal/metrics"
 	secretsMocks "github.com/allisson/secrets/internal/secrets/usecase/mocks"
 )
 
@@ -21,7 +22,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, days, false).Return(int64(100), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, days, false, "text")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Successfully deleted 100 secret(s) older than 30 day(s)")
@@ -33,7 +43,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, days, true).Return(int64(75), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, days, true, "text")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			true,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Dry-run mode: Would delete 75 secret(s) older than 30 day(s)")
@@ -45,7 +64,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, days, true).Return(int64(50), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, days, true, "json")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			true,
+			"json",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), `"count": 50`)
@@ -59,7 +87,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, days, false).Return(int64(25), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, days, false, "json")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"json",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), `"count": 25`)
@@ -70,7 +107,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 
 	t.Run("invalid-days-negative", func(t *testing.T) {
 		mockUseCase := &secretsMocks.MockSecretUseCase{}
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &bytes.Buffer{}, -1, false, "text")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&bytes.Buffer{},
+			-1,
+			false,
+			"text",
+		)
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "days must be a positive number")
@@ -81,7 +127,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, 0, false).Return(int64(10), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, 0, false, "text")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			0,
+			false,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Successfully deleted 10 secret(s) older than 0 day(s)")
@@ -93,7 +148,16 @@ func TestRunPurgeSecrets(t *testing.T) {
 		mockUseCase.On("PurgeDeleted", ctx, days, false).Return(int64(0), nil)
 
 		var out bytes.Buffer
-		err := RunPurgeSecrets(ctx, mockUseCase, logger, &out, days, false, "text")
+		err := RunPurgeSecrets(
+			ctx,
+			mockUseCase,
+			metrics.NewNopBusinessMetrics(),
+			logger,
+			&out,
+			days,
+			false,
+			"text",
+		)
 
 		require.NoError(t, err)
 		require.Contains(t, out.String(), "Successfully deleted 0 secret(s)")