Lock down /metrics and internal status endpoints

[robertocarlous]

Problem

Operational endpoints are publicly accessible:

• /metrics (Prometheus data)
• /api/agent/status (agent health + lastError)

This is information disclosure and enables targeted abuse.

Acceptance criteria

• Gate these endpoints behind one of:
  • internal service token (X-Internal-Token) OR
  • IP allowlist OR
  • admin token
• Return 404 or 401/403 when not authorized (pick one policy)
• Add tests for unauthorized access
• Document how to scrape metrics in production

router.get('/', async (_req: Request, res: Response) => {

router.get('/status', (req: Request, res: Response) => {

Priority

P0 / Critical