M1 foundation: fix proxy, pool HTTP clients, split services, add ApiError + RLS

- Fix proxy body forwarding, round-robin load balancing, response streaming
- Pool reqwest::Client in proxy, control, and gateway (no per-request alloc)
- Harden CORS in gateway/main.rs (was allow_origin(Any), now uses ALLOWED_ORIGINS)
- Add common/src/error.rs: ApiError type with structured JSON responses
- Add common/src/rls.rs: RlsTransaction extractor for deduplicated RLS setup
- Fix tracing in all standalone binaries (EnvFilter instead of unused var)
- Dockerfile multi-stage: separate worker-runtime, control-runtime, proxy-runtime targets
- docker-compose.yml: split into worker/system/proxy services with health checks
- Fix Grafana port mapping in pillar-system (3030:3000)
- Add config/prometheus.yml and config/vmagent.yml
- Add .env.example with all required variables
- 55 tests pass (49 run + 6 ignored integration tests requiring external services)

Made-with: Cursor

gateway/src/main.rs

@@ -18,21 +18,33 @@ use std::sync::Arc;
 use std::time::Duration;
 use tokio::sync::RwLock;
 use tower_governor::{governor::GovernorConfigBuilder, key_extractor::SmartIpKeyExtractor, GovernorLayer};
-use tower_http::cors::{Any, CorsLayer};
+use tower_http::cors::{AllowOrigin, CorsLayer};
 use tower_http::trace::TraceLayer;
 use moka::future::Cache;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
+fn shared_http_client() -> &'static reqwest::Client {
+    static CLIENT: std::sync::OnceLock<reqwest::Client> = std::sync::OnceLock::new();
+    CLIENT.get_or_init(|| {
+        reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .pool_max_idle_per_host(10)
+            .build()
+            .unwrap()
+    })
+}
+
 async fn logs_proxy_handler(Query(params): Query<HashMap<String, String>>) -> impl IntoResponse {
-    let client = reqwest::Client::new();
-    // Use 'loki' as hostname since it's the service name in docker-compose
-    let loki_url = "http://loki:3100/loki/api/v1/query_range";
+    let loki_url = std::env::var("LOKI_URL")
+        .unwrap_or_else(|_| "http://loki:3100".to_string());
+    let query_url = format!("{}/loki/api/v1/query_range", loki_url);
     
-    let resp = client.get(loki_url)
+    let resp = shared_http_client()
+        .get(&query_url)
         .query(&params)
         .send()
         .await;
-        
+
     match resp {
         Ok(r) => {
             let status = StatusCode::from_u16(r.status().as_u16()).unwrap_or(StatusCode::INTERNAL_SERVER_ERROR);
@@ -244,12 +256,29 @@ async fn main() -> anyhow::Result<()> {
         .layer(GovernorLayer {
             config: governor_conf,
         })
-        .layer(
+        .layer({
+            let origins_str = std::env::var("ALLOWED_ORIGINS")
+                .unwrap_or_else(|_| "http://localhost:3000,http://localhost:8000".to_string());
+            let origins: Vec<axum::http::HeaderValue> = origins_str
+                .split(',')
+                .filter_map(|s| s.trim().parse().ok())
+                .collect();
             CorsLayer::new()
-                .allow_origin(Any)
-                .allow_methods(Any)
-                .allow_headers(Any),
-        )
+                .allow_origin(AllowOrigin::list(origins))
+                .allow_methods([
+                    axum::http::Method::GET,
+                    axum::http::Method::POST,
+                    axum::http::Method::PUT,
+                    axum::http::Method::DELETE,
+                    axum::http::Method::OPTIONS,
+                ])
+                .allow_headers([
+                    axum::http::header::CONTENT_TYPE,
+                    axum::http::header::AUTHORIZATION,
+                    axum::http::HeaderName::from_static("apikey"),
+                ])
+                .allow_credentials(true)
+        })
         .layer(TraceLayer::new_for_http())
         .layer(from_fn(log_headers))
         .layer(prometheus_layer);