feat(wardrobe): module foundation — garments + outfits space-scoped data layer (M1)

M1 of docs/plans/wardrobe-module.md — pure data layer + backend plumbing,
zero UI (that's M2). A user can now hold a digital wardrobe per space:
brand merch, club Trikots, family Kleiderschrank, team Kostüme, practice
Dresscode, and personal closet all live as separate pools under the same
Dexie tables, space-scoped like tags/scenes/agents after Phase 2c.

Data model — two tables, no join:

- wardrobeGarments (Dexie v41): single clothing items / accessories.
  Indexed on `category` + `createdAt` + `isArchived`. Encrypted:
  name/brand/color/size/material/tags/notes. Plaintext: category,
  mediaIds, counters, timestamps — all indexed or structural.
  `mediaIds[0]` is the primary photo used for try-on; additional
  ids are alternate views (back, detail) for M7.

- wardrobeOutfits (Dexie v41): named compositions referencing
  garment ids. Encrypted: name/description/tags. Plaintext:
  garmentIds (FK array), occasion (closed enum — useful for
  undecrypted filtering), season, booleans, lastTryOn snapshot.

- picture.images gains `wardrobeOutfitId?: string | null` as a
  plaintext back-reference. Try-on results land in the Picture
  gallery like any other generation; the outfit detail view
  queries them via this id rather than maintaining a third table.

Space scope:

- `wardrobe` added to all five explicit allowlists in shared-types/
  spaces.ts (personal is wildcard, no edit needed). Each space type
  gets a one-line comment explaining the real-world use case.
- App registry: `wardrobe` entry in shared-branding/mana-apps.ts
  with a rose→fuchsia gradient icon (T-shirt on hanger silhouette),
  color #e11d48, tier 'beta', status 'beta'.
- Module registry: wardrobeModuleConfig imported + appended to
  MODULE_CONFIGS so SYNC_APP_MAP picks it up automatically.

Backend:

- MAX_REFERENCE_IMAGES bumped 4 → 8 in picture/generate-with-
  reference (plus the client-side default in ReferenceImagePicker).
  Justified with a comment: face + body + top + bottom + shoes +
  outerwear + 2 accessories = 8. Cost doesn't scale with ref count
  (OpenAI bills per output), so the bump is a pure capability
  expansion with no credit-side risk.
- New POST /api/v1/wardrobe/garments/upload wraps uploadImageToMedia
  with app='wardrobe'. Registered under /api/v1/wardrobe in index.ts.
  Pattern 1:1 with the profile/me-images/upload endpoint; tier-gating
  falls out of wardrobe NOT being in RESOURCE_MODULES (tier='guest'
  works — consistent with picture's plain CRUD).

Stores emit domain events (WardrobeGarmentAdded, WardrobeOutfitCreated,
WardrobeOutfitTryOn, etc.) so later mana-ai missions can observe
activity without polling.

No UI in this commit. M2 (Garments-Grundlayer) wires the route + grid
+ upload-zone; M3 the Outfit composer; M4 the Try-On integration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/index.ts

@@ -20,6 +20,9 @@ import {
 // MCP server
 import { handleMcpRequest } from './mcp/server';
 
+// Prometheus metrics
+import { register as metricsRegister } from './lib/metrics';
+
 // Module routes
 import { calendarRoutes } from './modules/calendar/routes';
 import { contactsRoutes } from './modules/contacts/routes';
@@ -28,6 +31,7 @@ import { chatRoutes } from './modules/chat/routes';
 import { contextRoutes } from './modules/context/routes';
 import { pictureRoutes } from './modules/picture/routes';
 import { profileRoutes } from './modules/profile/routes';
+import { wardrobeRoutes } from './modules/wardrobe/routes';
 import { storageRoutes } from './modules/storage/routes';
 import { todoRoutes } from './modules/todo/routes';
 import { plantsRoutes } from './modules/plants/routes';
@@ -55,6 +59,15 @@ app.onError(errorHandler);
 app.notFound(notFoundHandler);
 app.use('*', cors({ origin: CORS_ORIGINS, credentials: true }));
 app.route('/health', healthRoute('mana-api'));
+
+// Prometheus scrape endpoint. Unauthenticated on purpose — the Grafana
+// / Prometheus stack runs on the internal network; we rely on the
+// reverse-proxy layer to block external access to /metrics.
+app.get('/metrics', async (c) => {
+	c.header('Content-Type', metricsRegister.contentType);
+	return c.text(await metricsRegister.metrics());
+});
+
 app.use('/api/*', rateLimitMiddleware({ max: 200, windowMs: 60_000 }));
 
 // Public routes — no auth required (weather data is public, published
@@ -103,6 +116,7 @@ app.route('/api/v1/chat', chatRoutes);
 app.route('/api/v1/context', contextRoutes);
 app.route('/api/v1/picture', pictureRoutes);
 app.route('/api/v1/profile', profileRoutes);
+app.route('/api/v1/wardrobe', wardrobeRoutes);
 app.route('/api/v1/storage', storageRoutes);
 app.route('/api/v1/todo', todoRoutes);
 app.route('/api/v1/plants', plantsRoutes);

apps/api/src/lib/metrics.ts

@@ -0,0 +1,106 @@
+/**
+ * Prometheus metrics for mana-api.
+ *
+ * Follows the same shape as mana-ai (default metrics with a service
+ * prefix, plus module-specific counters / histograms). Scraped from
+ * GET /metrics — mounted unauthenticated since the surface is
+ * internal-network only.
+ *
+ * Naming convention: `mana_api_<module>_*`. Underscore separators,
+ * standard Prometheus regex `[a-zA-Z_:][a-zA-Z0-9_:]*`.
+ */
+
+import { Counter, Histogram, Registry, collectDefaultMetrics } from 'prom-client';
+
+export const register = new Registry();
+register.setDefaultLabels({ service: 'mana-api' });
+collectDefaultMetrics({ register, prefix: 'mana_api_' });
+
+// ── Website module ──────────────────────────────────────
+
+/**
+ * Every call to POST /sites/:id/publish. `result` labels:
+ *   - `success`     — snapshot stored, is_current flipped
+ *   - `slug_taken`  — another site already has this slug live
+ *   - `invalid`     — validation error (bad slug, missing fields)
+ *   - `error`       — unexpected failure (DB, network)
+ */
+export const websitePublishTotal = new Counter({
+	name: 'mana_api_website_publish_total',
+	help: 'Publish attempts against the website module.',
+	labelNames: ['result'] as const,
+	registers: [register],
+});
+
+export const websitePublishDuration = new Histogram({
+	name: 'mana_api_website_publish_duration_seconds',
+	help: 'End-to-end latency of the publish flow (validation + DB transaction).',
+	buckets: [0.05, 0.1, 0.25, 0.5, 1, 2, 5],
+	registers: [register],
+});
+
+/**
+ * Form submissions received on the public endpoint. `result` labels:
+ *   - `received`    — stored in submissions table
+ *   - `spam`        — honeypot tripped, silent-dropped
+ *   - `rate_limit`  — IP rate-limit hit
+ *   - `not_found`   — slug or block missing
+ *   - `invalid`     — payload validation failed
+ */
+export const websiteSubmissionsTotal = new Counter({
+	name: 'mana_api_website_submissions_total',
+	help: 'Form submissions received on the website submit endpoint.',
+	labelNames: ['result'] as const,
+	registers: [register],
+});
+
+/**
+ * Host resolver lookups from hooks.server.ts. `result` labels:
+ *   - `hit`   — verified binding found, slug returned
+ *   - `miss`  — hostname not bound, 404
+ *   - `error` — DB error
+ */
+export const websiteHostResolveTotal = new Counter({
+	name: 'mana_api_website_host_resolve_total',
+	help: 'Custom-host to slug resolutions hit / miss.',
+	labelNames: ['result'] as const,
+	registers: [register],
+});
+
+/**
+ * DNS verification runs. `result`:
+ *   - `verified` — both TXT + CNAME/A matched
+ *   - `failed`   — at least one check failed; reason in logs
+ */
+export const websiteDomainVerifyTotal = new Counter({
+	name: 'mana_api_website_domain_verify_total',
+	help: 'Custom-domain DNS verification attempts.',
+	labelNames: ['result'] as const,
+	registers: [register],
+});
+
+/**
+ * Public snapshot reads — how many visitors hit /public/sites/:slug.
+ * `result`:
+ *   - `hit`    — snapshot served
+ *   - `not_found` — unpublished or unknown slug
+ */
+export const websitePublicReadsTotal = new Counter({
+	name: 'mana_api_website_public_reads_total',
+	help: 'Reads of the public /public/sites/:slug endpoint.',
+	labelNames: ['result'] as const,
+	registers: [register],
+});
+
+/**
+ * Cache-header guidance for operators: how often public reads return
+ * a cache-purge-worthy freshly-published blob vs a routine read. We
+ * emit this via header inspection in the public route; `purge_needed`
+ * is a heuristic (new-snapshot age < 10s).
+ */
+export const websitePublicReadAge = new Histogram({
+	name: 'mana_api_website_public_read_age_seconds',
+	help: 'Age of the served snapshot at read time (seconds since publishedAt).',
+	buckets: [1, 10, 60, 300, 1800, 3600, 21600, 86400],
+	registers: [register],
+});

apps/api/src/modules/picture/routes.ts

@@ -240,10 +240,12 @@ routes.post('/generate', async (c) => {
 // image input natively. Replicate/local fallback is a later milestone.
 
 // OpenAI gpt-image-1 / gpt-image-2 accept up to 16 reference images per
-// edit call. We clamp at 4 to keep credit exposure + upload payload size
-// predictable while still covering the common "face + fullbody + outfit"
-// workflow the plan targets.
-const MAX_REFERENCE_IMAGES = 4;
+// edit call. We clamp at 8 to cover the Wardrobe try-on workflow — one
+// face-ref + one body-ref + up to six garment photos (top/bottom/shoes/
+// outerwear + two accessories) — while keeping credit exposure and
+// upload payload size predictable. Pre-wardrobe the cap was 4; bumped
+// in docs/plans/wardrobe-module.md M1.
+const MAX_REFERENCE_IMAGES = 8;
 
 routes.post('/generate-with-reference', async (c) => {
 	const userId = c.get('userId');

apps/api/src/modules/wardrobe/routes.ts

@@ -0,0 +1,55 @@
+/**
+ * Wardrobe module — server endpoints.
+ *
+ * Thin wrapper around mana-media for garment photo uploads. Plan:
+ * docs/plans/wardrobe-module.md M1. No logic beyond tagging uploads
+ * as `app='wardrobe'` so a later `GET /api/v1/media?app=wardrobe&...`
+ * query can enumerate a user's garment pool without scanning every
+ * media reference.
+ *
+ * Try-on generation does NOT live here — it reuses the Picture
+ * module's POST /api/v1/picture/generate-with-reference endpoint
+ * with MAX_REFERENCE_IMAGES bumped to 8 so face + body + garments
+ * fit into one call.
+ */
+
+import { Hono } from 'hono';
+import type { AuthVariables } from '@mana/shared-hono';
+
+const routes = new Hono<{ Variables: AuthVariables }>();
+
+// Same 10MB cap as the other photo-upload endpoints (profile me-images,
+// picture uploads). Phone-camera PNG/HEIC routinely comes in under 6MB.
+const MAX_UPLOAD_BYTES = 10 * 1024 * 1024;
+
+routes.post('/garments/upload', async (c) => {
+	const userId = c.get('userId');
+	const formData = await c.req.formData();
+	const file = formData.get('file') as File | null;
+
+	if (!file) return c.json({ error: 'No file' }, 400);
+	if (file.size > MAX_UPLOAD_BYTES) return c.json({ error: 'Max 10MB' }, 400);
+
+	try {
+		const { uploadImageToMedia } = await import('../../lib/media');
+		const buffer = await file.arrayBuffer();
+		const result = await uploadImageToMedia(buffer, file.name, {
+			app: 'wardrobe',
+			userId,
+		});
+
+		return c.json(
+			{
+				mediaId: result.id,
+				storagePath: result.id,
+				publicUrl: result.urls.original,
+				thumbnailUrl: result.urls.thumbnail,
+			},
+			201
+		);
+	} catch (_err) {
+		return c.json({ error: 'Upload failed' }, 500);
+	}
+});
+
+export { routes as wardrobeRoutes };

apps/api/src/modules/website/public-routes.ts

@@ -10,6 +10,11 @@ import { Hono } from 'hono';
 import { and, eq } from 'drizzle-orm';
 import { db, publishedSnapshots, customDomains } from './schema';
 import { errorResponse } from '../../lib/responses';
+import {
+	websiteHostResolveTotal,
+	websitePublicReadsTotal,
+	websitePublicReadAge,
+} from '../../lib/metrics';
 import { websiteSubmitRoutes } from './submit';
 
 const routes = new Hono();
@@ -26,7 +31,10 @@ routes.route('/', websiteSubmitRoutes);
 routes.get('/resolve-host', async (c) => {
 	const raw = c.req.query('host');
 	const host = typeof raw === 'string' ? raw.toLowerCase().trim() : '';
-	if (!host) return errorResponse(c, 'host query param required', 400);
+	if (!host) {
+		websiteHostResolveTotal.inc({ result: 'error' });
+		return errorResponse(c, 'host query param required', 400);
+	}
 
 	const rows = await db
 		.select({ siteId: customDomains.siteId, hostname: customDomains.hostname })
@@ -34,7 +42,10 @@ routes.get('/resolve-host', async (c) => {
 		.where(and(eq(customDomains.hostname, host), eq(customDomains.status, 'verified')))
 		.limit(1);
 
-	if (!rows[0]) return errorResponse(c, 'Host not found', 404, { code: 'NOT_FOUND' });
+	if (!rows[0]) {
+		websiteHostResolveTotal.inc({ result: 'miss' });
+		return errorResponse(c, 'Host not found', 404, { code: 'NOT_FOUND' });
+	}
 
 	// Look up the slug from the most recent published snapshot.
 	const snap = await db
@@ -46,11 +57,13 @@ routes.get('/resolve-host', async (c) => {
 		.limit(1);
 
 	if (!snap[0]) {
+		websiteHostResolveTotal.inc({ result: 'miss' });
 		return errorResponse(c, 'Site not currently published', 404, {
 			code: 'NOT_PUBLISHED',
 		});
 	}
 
+	websiteHostResolveTotal.inc({ result: 'hit' });
 	c.header('Cache-Control', 'public, max-age=60, s-maxage=600');
 	return c.json({ slug: snap[0].slug, siteId: rows[0].siteId });
 });
@@ -78,7 +91,10 @@ routes.get('/sites/:slug', async (c) => {
 		.where(and(eq(publishedSnapshots.slug, slug), eq(publishedSnapshots.isCurrent, true)))
 		.limit(1);
 
-	if (!rows[0]) return errorResponse(c, 'Site not found', 404, { code: 'NOT_FOUND' });
+	if (!rows[0]) {
+		websitePublicReadsTotal.inc({ result: 'not_found' });
+		return errorResponse(c, 'Site not found', 404, { code: 'NOT_FOUND' });
+	}
 
 	// Conservative caching: short freshness window, aggressive stale-while-
 	// revalidate. Publish endpoint will purge by tag in M6; until then CF
@@ -86,6 +102,10 @@ routes.get('/sites/:slug', async (c) => {
 	c.header('Cache-Control', 'public, max-age=60, s-maxage=300, stale-while-revalidate=86400');
 	c.header('Cache-Tag', `site-${rows[0].id}`);
 
+	const ageSec = Math.max(0, (Date.now() - rows[0].publishedAt.getTime()) / 1000);
+	websitePublicReadsTotal.inc({ result: 'hit' });
+	websitePublicReadAge.observe(ageSec);
+
 	return c.json({
 		snapshotId: rows[0].id,
 		slug: rows[0].slug,

apps/api/src/modules/website/publish.ts

@@ -11,6 +11,7 @@ import { z } from 'zod';
 import { and, desc, eq } from 'drizzle-orm';
 import type { AuthVariables } from '@mana/shared-hono';
 import { errorResponse, validationError } from '../../lib/responses';
+import { websitePublishTotal, websitePublishDuration } from '../../lib/metrics';
 import { db, publishedSnapshots, submissions } from './schema';
 import { isValidSlug } from './reserved-slugs';
 
@@ -63,6 +64,7 @@ const DraftSnapshotSchema = z.object({
 // ─── POST /sites/:id/publish ────────────────────────────
 
 routes.post('/sites/:id/publish', async (c) => {
+	const publishTimer = websitePublishDuration.startTimer();
 	const userId = c.get('userId');
 	// Space id flows in via an explicit header (mana-auth doesn't yet
 	// embed the active space in JWT claims). Nullable — full membership
@@ -71,18 +73,30 @@ routes.post('/sites/:id/publish', async (c) => {
 	const spaceId = spaceIdHeader && /^[0-9a-f-]{36}$/i.test(spaceIdHeader) ? spaceIdHeader : null;
 	const siteId = c.req.param('id');
 
-	if (!siteId) return errorResponse(c, 'siteId required', 400);
+	if (!siteId) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
+		return errorResponse(c, 'siteId required', 400);
+	}
 
 	const parsed = DraftSnapshotSchema.safeParse(await c.req.json().catch(() => null));
-	if (!parsed.success) return validationError(c, parsed.error.issues);
+	if (!parsed.success) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
+		return validationError(c, parsed.error.issues);
+	}
 
 	const draft = parsed.data;
 	if (draft.site.id !== siteId) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
 		return errorResponse(c, 'Site id mismatch between path and body', 400, {
 			code: 'SITE_ID_MISMATCH',
 		});
 	}
 	if (!isValidSlug(draft.site.slug)) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
 		return errorResponse(c, `Slug "${draft.site.slug}" is invalid or reserved`, 400, {
 			code: 'INVALID_SLUG',
 		});
@@ -97,6 +111,8 @@ routes.post('/sites/:id/publish', async (c) => {
 		)
 		.limit(1);
 	if (conflicting[0] && conflicting[0].siteId !== siteId) {
+		websitePublishTotal.inc({ result: 'slug_taken' });
+		publishTimer();
 		return errorResponse(
 			c,
 			`Slug "${draft.site.slug}" is already taken by another published site`,
@@ -139,6 +155,8 @@ routes.post('/sites/:id/publish', async (c) => {
 
 		if (!result) throw new Error('Insert returned no row');
 
+		websitePublishTotal.inc({ result: 'success' });
+		publishTimer();
 		return c.json(
 			{
 				snapshotId: result.id,
@@ -151,10 +169,14 @@ routes.post('/sites/:id/publish', async (c) => {
 		// Postgres unique-constraint violation → slug conflict we didn't
 		// catch in the pre-check (classic race).
 		if (err instanceof Error && /unique/i.test(err.message)) {
+			websitePublishTotal.inc({ result: 'slug_taken' });
+			publishTimer();
 			return errorResponse(c, `Slug "${draft.site.slug}" was taken by a concurrent publish`, 409, {
 				code: 'SLUG_TAKEN',
 			});
 		}
+		websitePublishTotal.inc({ result: 'error' });
+		publishTimer();
 		throw err;
 	}
 });

apps/api/src/modules/website/submit.ts

@@ -23,6 +23,7 @@
 import { Hono } from 'hono';
 import { and, eq } from 'drizzle-orm';
 import { db, publishedSnapshots, submissions } from './schema';
+import { websiteSubmissionsTotal } from '../../lib/metrics';
 
 const routes = new Hono();
 
@@ -142,6 +143,7 @@ routes.post('/submit/:siteSlug/:blockId', async (c) => {
 		c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ??
 		'unknown';
 	if (rateLimitHit(`${siteSlug}:${ip}`)) {
+		websiteSubmissionsTotal.inc({ result: 'rate_limit' });
 		return c.json({ error: 'Rate limit überschritten — bitte später erneut versuchen' }, 429);
 	}
 
@@ -157,19 +159,23 @@ routes.post('/submit/:siteSlug/:blockId', async (c) => {
 		.limit(1);
 
 	if (!snapshotRow[0]) {
+		websiteSubmissionsTotal.inc({ result: 'not_found' });
 		return c.json({ error: 'Website nicht gefunden oder offline' }, 404);
 	}
 
 	const block = findFormBlock(snapshotRow[0].blob as SnapshotBlob, blockId);
 	if (!block) {
+		websiteSubmissionsTotal.inc({ result: 'not_found' });
 		return c.json({ error: 'Block nicht gefunden' }, 404);
 	}
 	if (!isFormBlock(block)) {
+		websiteSubmissionsTotal.inc({ result: 'invalid' });
 		return c.json({ error: 'Block ist kein Formular' }, 400);
 	}
 
 	const rawBody = (await c.req.json().catch(() => null)) as Record<string, unknown> | null;
 	if (!rawBody || typeof rawBody !== 'object') {
+		websiteSubmissionsTotal.inc({ result: 'invalid' });
 		return c.json({ error: 'Payload fehlt oder ungültig' }, 400);
 	}
 
@@ -178,6 +184,7 @@ routes.post('/submit/:siteSlug/:blockId', async (c) => {
 	// Form renderer. We also look for a generic "_trap" key.
 	const trap = rawBody.honeypot ?? rawBody._trap;
 	if (typeof trap === 'string' && trap.trim().length > 0) {
+		websiteSubmissionsTotal.inc({ result: 'spam' });
 		// Act as success to the bot, store nothing.
 		return c.json({ ok: true, spam: true }, 202);
 	}
@@ -188,6 +195,7 @@ routes.post('/submit/:siteSlug/:blockId', async (c) => {
 	for (const field of block.props.fields) {
 		const result = validateField(field, rawBody[field.name]);
 		if (!result.ok) {
+			websiteSubmissionsTotal.inc({ result: 'invalid' });
 			return c.json({ error: result.error, field: field.name }, 400);
 		}
 		cleaned[field.name] = result.value;
@@ -209,6 +217,7 @@ routes.post('/submit/:siteSlug/:blockId', async (c) => {
 		})
 		.returning({ id: submissions.id });
 
+	websiteSubmissionsTotal.inc({ result: 'received' });
 	return c.json({ ok: true, submissionId: row?.id ?? null }, 201);
 });