1. Security: Replace insecure extractRemoteIP() in audit service with
middleware.RealIP() which validates trusted proxies before trusting
X-Real-IP/X-Forwarded-For headers. Export RealIP from middleware.
Update audit tests to verify anti-spoofing behavior.
2. Audit coverage: Add audit instrumentation to all 9 handlers that
had dead action constants: HandleEnvVarSave, HandleLabelAdd,
HandleLabelEdit, HandleLabelDelete, HandleVolumeAdd, HandleVolumeEdit,
HandleVolumeDelete, HandlePortAdd, HandlePortDelete.
3. README: Fix API path from /api/audit to /api/v1/audit.
4. README: Fix duplicate numbering in DI order section (items 10-11
were listed twice, now correctly numbered 10-16).
- Add Prometheus metrics package (internal/metrics) with deployment,
container health, webhook, HTTP request, and audit counters/histograms
- Add audit_log SQLite table via migration 007
- Add AuditEntry model with CRUD operations and query methods
- Add audit service (internal/service/audit) for recording user actions
- Instrument deploy service with deployment duration, count, and
in-flight metrics; container health gauge updates on deploy completion
- Instrument webhook service with event counters by app/type/matched
- Instrument HTTP middleware with request count, duration, and response
size metrics; also log response bytes in structured request logs
- Add audit logging to all key handler operations: login/logout, app
CRUD, deploy, cancel, rollback, restart/stop/start, webhook receipt,
and initial setup
- Add GET /api/audit endpoint for querying recent audit entries
- Make /metrics endpoint always available (optionally auth-protected)
- Add comprehensive tests for metrics, audit model, and audit service
- Update existing test infrastructure with metrics and audit dependencies
- Update README with Observability section documenting all metrics,
audit log, and structured logging
