feat(cloudflare): add telemetry collection and /metrics endpoint

confidence-cloudflare-resolver/Cargo.toml

@@ -28,5 +28,7 @@ worker = { version= "0.6.1", features=['queue'] }
 base64 = "0.22.1"
 once_cell = "1.19"
 prost = "0.13"
+arc-swap = "1"
+js-sys = "0.3"
 serde = { version = "1.0.219" }
 serde_json = "1.0.85"

confidence-cloudflare-resolver/deployer/README.md

@@ -63,6 +63,7 @@ The deployer automatically:
 | `WRANGLER_DEPLOY_MESSAGE`            | Value passed to `wrangler deploy --message`                                                                                                       |
 | `WRANGLER_DEPLOY_ARGS`               | Additional newline-separated arguments passed to `wrangler deploy`                                                                                |
 | `WRANGLER_DEPLOY_ARGS_FILE`          | Path to a file containing additional `wrangler deploy` arguments, one argument per line                                                           |
+| `ENABLE_METRICS`                     | Set to create a KV namespace and enable the `/metrics` Prometheus endpoint. Requires a [KV store](https://developers.cloudflare.com/kv/platform/pricing/) |
 
 ### Extending Wrangler Configuration
 
@@ -120,6 +121,33 @@ When integrating with the Cloudflare resolver, you have two options:
 
 For more details on integration, including code examples using the [`@spotify-confidence/sdk`](https://github.com/spotify/confidence-sdk-js), see the [Confidence documentation](https://confidence.spotify.com/docs/sdks/edge/cloudflare#cloudflare-workers).
 
+## Telemetry & Metrics
+
+The resolver collects telemetry and exposes a Prometheus-compatible `/metrics` endpoint using the same metric names as all other Confidence providers (`confidence_resolve_latency_microseconds`, `confidence_resolves_total`).
+
+### How latency is measured
+
+Cloudflare Workers freeze `Date.now()` and `performance.now()` during synchronous CPU work (Spectre mitigation). The resolver uses `scheduler.wait(0)` — a zero-delay yield to the runtime — to unfreeze the clock after each resolve. This provides 1ms resolution with no measurable overhead.
+
+### `/metrics` endpoint
+
+Requires authentication:
+
+```bash
+curl -H "Authorization: ClientSecret <your-client-secret>" \
+  https://<worker>.workers.dev/metrics
+```
+
+Returns Prometheus exposition format with:
+- `confidence_resolve_latency_microseconds` — histogram (sum, count, cumulative `le` buckets)
+- `confidence_resolves_total` — counter by resolve reason
+
+Metrics are accumulated in a [KV namespace](https://developers.cloudflare.com/kv/platform/pricing/) (`CONFIDENCE_METRICS_KV`). Set `ENABLE_METRICS` to have the deployer create the KV namespace and bind it to the Worker. Without it, the `/metrics` endpoint returns empty and no KV writes occur.
+
+### Backend telemetry
+
+Resolve rates and latency are always sent to the Confidence backend via `WriteFlagLogsRequest`, regardless of the `ENABLE_METRICS` setting. The `/metrics` endpoint and KV store are only needed for direct Prometheus scraping — backend telemetry flows through the queue consumer independently.
+
 ## Limitations
 
 * **Sticky assignments**: Not currently supported with the Cloudflare resolver. Flags with sticky assignment rules will return "flag not found".

confidence-cloudflare-resolver/deployer/script.sh

@@ -366,6 +366,63 @@ else
     echo "⚠️ Could not check queue status (HTTP $QUEUE_STATUS)"
 fi
 
+# Create KV namespace for /metrics endpoint if it doesn't exist
+if [ -n "$WORKER_NAME_PREFIX" ]; then
+    KV_NAMESPACE_TITLE="${WORKER_NAME_PREFIX}-resolver-metrics"
+else
+    KV_NAMESPACE_TITLE="resolver-metrics"
+fi
+
+ENABLE_METRICS=${ENABLE_METRICS:=}
+if [ -z "$ENABLE_METRICS" ]; then
+    echo "ℹ️ ENABLE_METRICS not set; skipping KV namespace creation (/metrics endpoint disabled)"
+    KV_NAMESPACE_ID=""
+else
+
+echo "🔍 Checking if KV namespace '$KV_NAMESPACE_TITLE' exists..."
+KV_LIST=$(curl -sS -w "%{http_code}" \
+    -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+    "https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/storage/kv/namespaces?per_page=100")
+KV_LIST_STATUS="${KV_LIST: -3}"
+KV_LIST_BODY="${KV_LIST%???}"
+
+KV_NAMESPACE_ID=""
+if [ "$KV_LIST_STATUS" = "200" ]; then
+    KV_NAMESPACE_ID=$(printf "%s" "$KV_LIST_BODY" | jq -r ".result[] | select(.title == \"${KV_NAMESPACE_TITLE}\") | .id" 2>/dev/null || true)
+fi
+
+if [ -z "$KV_NAMESPACE_ID" ]; then
+    echo "📦 KV namespace '$KV_NAMESPACE_TITLE' not found, creating..."
+    KV_CREATE_RESP=$(curl -sS -w "%{http_code}" -X POST \
+        -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d "{\"title\": \"${KV_NAMESPACE_TITLE}\"}" \
+        "https://api.cloudflare.com/client/v4/accounts/${CLOUDFLARE_ACCOUNT_ID}/storage/kv/namespaces")
+    KV_CREATE_STATUS="${KV_CREATE_RESP: -3}"
+    KV_CREATE_BODY="${KV_CREATE_RESP%???}"
+    if [ "$KV_CREATE_STATUS" = "200" ] || [ "$KV_CREATE_STATUS" = "201" ]; then
+        KV_NAMESPACE_ID=$(printf "%s" "$KV_CREATE_BODY" | jq -r '.result.id')
+        echo "✅ KV namespace '$KV_NAMESPACE_TITLE' created (id: $KV_NAMESPACE_ID)"
+    else
+        echo "⚠️ Failed to create KV namespace (HTTP $KV_CREATE_STATUS), /metrics will be unavailable"
+    fi
+else
+    echo "✅ KV namespace '$KV_NAMESPACE_TITLE' already exists (id: $KV_NAMESPACE_ID)"
+fi
+
+# Append KV binding to wrangler.toml if namespace was created
+if [ -n "$KV_NAMESPACE_ID" ]; then
+    cat >> wrangler.toml <<EOF
+
+[[kv_namespaces]]
+binding = "CONFIDENCE_METRICS_KV"
+id = "$KV_NAMESPACE_ID"
+EOF
+    echo "✅ Added CONFIDENCE_METRICS_KV binding to wrangler.toml"
+fi
+
+fi  # end ENABLE_METRICS check
+
 # Update worker name and queue name in wrangler.toml if using prefix
 if [ -n "$WORKER_NAME_PREFIX" ]; then
     sed -i.tmp "s/^name = .*/name = \"$WORKER_NAME\"/" wrangler.toml
@@ -479,6 +536,7 @@ add_wrangler_deploy_args_from_lines "WRANGLER_DEPLOY_ARGS" "$WRANGLER_DEPLOY_ARG
 # only deploy if NO_DEPLOY is not set
 if test -z "$NO_DEPLOY"; then
      wrangler deploy "${WRANGLER_DEPLOY_ARGS_ARRAY[@]}"
+
 else
      echo "NO_DEPLOY is set, skipping deploy"
 fi