e11y 0.1.0 → 0.2.0

data/lib/e11y/metrics/cardinality_protection.rb

@@ -7,10 +7,11 @@ module E11y
   module Metrics
     # Cardinality protection for metrics labels.
     #
-    # Implements 3-layer defense system to prevent cardinality explosions:
+    # Implements 4-layer defense system to prevent cardinality explosions:
     # 1. Universal Denylist - Block high-cardinality fields (user_id, order_id, etc.)
     # 2. Per-Metric Limits - Track unique values per metric, drop if exceeded
     # 3. Dynamic Monitoring - Alert when approaching limits
+    # 4. Dynamic Actions - Auto-relabeling, alerting, or dropping on overflow
     #
     # Now supports optional relabeling to reduce cardinality while preserving signal.
     #
@@ -27,8 +28,16 @@ module E11y
     #   safe_labels = protection.filter(labels, 'http.requests')
     #   # => { http_status: '2xx', path: '/api/users' }
     #
+    # @example With overflow strategy
+    #   protection = E11y::Metrics::CardinalityProtection.new(
+    #     overflow_strategy: :alert,
+    #     alert_threshold: 0.8
+    #   )
+    #
     # @see ADR-002 §4 (Cardinality Protection)
     # @see UC-013 (High Cardinality Protection)
+    # rubocop:disable Metrics/ClassLength
+    # Cardinality protection is a cohesive 4-layer defense system against metric explosions
     class CardinalityProtection
       # Universal denylist - high-cardinality fields that should NEVER be labels
       UNIVERSAL_DENYLIST = %i[
@@ -55,7 +64,16 @@ module E11y
       # Default per-metric cardinality limit
       DEFAULT_CARDINALITY_LIMIT = 1000
 
-      attr_reader :tracker, :relabeler
+      # Overflow strategies (Layer 4: Dynamic Actions)
+      OVERFLOW_STRATEGIES = %i[drop alert relabel].freeze
+
+      # Default overflow strategy
+      DEFAULT_OVERFLOW_STRATEGY = :drop
+
+      # Default alert threshold (80% of limit)
+      DEFAULT_ALERT_THRESHOLD = 0.8
+
+      attr_reader :tracker, :relabeler, :overflow_strategy, :alert_threshold
 
       # Initialize cardinality protection
       # @param config [Hash] Configuration options
@@ -63,16 +81,35 @@ module E11y
       # @option config [Array<Symbol>] :additional_denylist Additional fields to deny
       # @option config [Boolean] :enabled (true) Enable/disable protection
       # @option config [Boolean] :relabeling_enabled (true) Enable/disable relabeling
+      # @option config [Symbol] :overflow_strategy (:drop) Strategy when limit exceeded (:drop, :alert, :relabel)
+      # @option config [Float] :alert_threshold (0.8) Alert when cardinality reaches this ratio
+      # @option config [Proc] :alert_callback Optional callback when alert triggered
+      # @option config [Boolean] :auto_relabel (false) Auto-relabel to [OTHER] on overflow
+      # rubocop:disable Metrics/AbcSize
+      # Cardinality protection initialization requires extracting multiple config options and setting up components
       def initialize(config = {})
         @cardinality_limit = config.fetch(:cardinality_limit, DEFAULT_CARDINALITY_LIMIT)
         @enabled = config.fetch(:enabled, true)
         @relabeling_enabled = config.fetch(:relabeling_enabled, true)
         @denylist = Set.new(UNIVERSAL_DENYLIST + (config[:additional_denylist] || []))
 
+        # Layer 4: Dynamic Actions configuration
+        @overflow_strategy = config.fetch(:overflow_strategy, DEFAULT_OVERFLOW_STRATEGY)
+        @alert_threshold = config.fetch(:alert_threshold, DEFAULT_ALERT_THRESHOLD)
+        @alert_callback = config[:alert_callback]
+        @auto_relabel = config.fetch(:auto_relabel, false)
+
+        validate_config!
+
         # Use extracted components
         @tracker = CardinalityTracker.new(limit: @cardinality_limit)
         @relabeler = Relabeling.new
+
+        # Track overflow metrics
+        @overflow_counts = Hash.new(0)
+        @overflow_mutex = Mutex.new
       end
+      # rubocop:enable Metrics/AbcSize
 
       # Define relabeling rule for a label
       #
@@ -91,11 +128,11 @@ module E11y
 
       # Filter labels to prevent cardinality explosions
       #
-      # Applies 3-layer defense + optional relabeling:
+      # Applies 4-layer defense + optional relabeling:
       # 1. Relabel high-cardinality values (if enabled)
       # 2. Drop denylisted fields
       # 3. Track and limit per-metric cardinality
-      # 4. Alert on limit exceeded
+      # 4. Dynamic Actions on overflow (drop/alert/relabel)
       #
       # @param labels [Hash] Raw labels from event
       # @param metric_name [String] Metric name for tracking
@@ -106,21 +143,24 @@ module E11y
         safe_labels = {}
 
         labels.each do |key, value|
-          # Step 1: Relabel if rule exists (reduces cardinality)
+          # Layer 1: Relabel if rule exists (reduces cardinality)
           relabeled_value = @relabeling_enabled ? @relabeler.apply(key, value) : value
 
-          # Step 2: Denylist - drop high-cardinality fields
+          # Layer 2: Denylist - drop high-cardinality fields
           next if should_deny?(key)
 
-          # Step 3: Per-Metric Cardinality Limit
+          # Layer 3: Per-Metric Cardinality Limit
           if @tracker.track(metric_name, key, relabeled_value)
             safe_labels[key] = relabeled_value
           else
-            # Step 4: Alert when limit exceeded
-            warn_cardinality_exceeded(metric_name, key)
+            # Layer 4: Dynamic Actions on overflow
+            handle_overflow(metric_name, key, relabeled_value, safe_labels)
           end
         end
 
+        # Check if approaching alert threshold (after tracking new values)
+        check_alert_threshold(metric_name)
+
         safe_labels
       end
 
@@ -150,10 +190,29 @@ module E11y
       def reset!
         @tracker.reset_all!
         @relabeler.reset!
+        @overflow_mutex.synchronize do
+          @overflow_counts.clear
+        end
       end
 
       private
 
+      # Validate configuration
+      # @raise [ArgumentError] If configuration is invalid
+      def validate_config!
+        unless OVERFLOW_STRATEGIES.include?(@overflow_strategy)
+          raise ArgumentError,
+                "Invalid overflow_strategy: #{@overflow_strategy}. " \
+                "Must be one of: #{OVERFLOW_STRATEGIES.join(', ')}"
+        end
+
+        return if @alert_threshold.is_a?(Numeric) && @alert_threshold.positive? && @alert_threshold <= 1.0
+
+        raise ArgumentError,
+              "Invalid alert_threshold: #{@alert_threshold}. " \
+              "Must be a number between 0 and 1.0"
+      end
+
       # Check if label should be denied (Layer 1: Denylist)
       # @param key [Symbol] Label key
       # @return [Boolean] True if should be denied
@@ -161,12 +220,198 @@ module E11y
         @denylist.include?(key)
       end
 
-      # Warn about cardinality limit exceeded (Layer 3: Monitoring)
+      # Check if approaching alert threshold (Layer 3: Monitoring)
+      # @param metric_name [String] Metric name
+      # rubocop:disable Metrics/MethodLength
+      # Alert threshold checking requires calculating ratio, checking conditions, and sending detailed alerts
+      def check_alert_threshold(metric_name)
+        return unless @alert_threshold
+
+        current_cardinality = @tracker.cardinalities(metric_name).values.sum
+        ratio = current_cardinality.to_f / @cardinality_limit
+
+        return unless ratio >= @alert_threshold
+
+        # Only alert once per threshold crossing
+        alert_key = "#{metric_name}:#{@alert_threshold}"
+        return if @overflow_counts[alert_key].positive?
+
+        @overflow_mutex.synchronize do
+          @overflow_counts[alert_key] += 1
+        end
+
+        send_alert(
+          metric_name: metric_name,
+          message: "Cardinality approaching limit",
+          current: current_cardinality,
+          limit: @cardinality_limit,
+          ratio: ratio,
+          severity: :warn
+        )
+
+        # Track metric
+        track_cardinality_metric(metric_name, :threshold_exceeded, current_cardinality)
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      # Handle overflow when cardinality limit exceeded (Layer 4: Dynamic Actions)
+      # @param metric_name [String] Metric name
+      # @param key [Symbol] Label key
+      # @param value [Object] Label value
+      # @param safe_labels [Hash] Current safe labels hash (may be modified)
+      def handle_overflow(metric_name, key, value, safe_labels)
+        # Increment overflow counter
+        overflow_key = "#{metric_name}:#{key}"
+        @overflow_mutex.synchronize do
+          @overflow_counts[overflow_key] += 1
+        end
+
+        case @overflow_strategy
+        when :drop
+          handle_drop(metric_name, key, value)
+        when :alert
+          handle_alert(metric_name, key, value)
+        when :relabel
+          handle_relabel(metric_name, key, value, safe_labels)
+        end
+
+        # Track overflow metric
+        track_cardinality_metric(metric_name, @overflow_strategy, @overflow_counts[overflow_key])
+      end
+
+      # Handle drop strategy - silently drop label
       # @param metric_name [String] Metric name
       # @param key [Symbol] Label key
-      def warn_cardinality_exceeded(metric_name, key)
-        warn "E11y Metrics: Cardinality limit exceeded for #{metric_name}:#{key} (limit: #{@cardinality_limit})"
+      # @param value [Object] Label value
+      def handle_drop(metric_name, key, value)
+        # Silent drop (most efficient)
+        # Optionally log at debug level
+        return unless defined?(::Rails) && ::Rails.logger&.debug?
+
+        ::Rails.logger.debug(
+          "[E11y] Cardinality limit exceeded: #{metric_name}:#{key}=#{value} (dropped)"
+        )
+      end
+
+      # Handle alert strategy - alert ops team and drop
+      # @param metric_name [String] Metric name
+      # @param key [Symbol] Label key
+      # @param value [Object] Label value
+      def handle_alert(metric_name, key, value)
+        current_cardinality = @tracker.cardinalities(metric_name)[key] || 0
+
+        send_alert(
+          metric_name: metric_name,
+          label_key: key,
+          label_value: value,
+          message: "Cardinality limit exceeded",
+          current: current_cardinality,
+          limit: @cardinality_limit,
+          overflow_count: @overflow_counts["#{metric_name}:#{key}"],
+          severity: :error
+        )
+
+        # Also log warning
+        warn "E11y Metrics: Cardinality limit exceeded for #{metric_name}:#{key} " \
+             "(limit: #{@cardinality_limit}, current: #{current_cardinality})"
+      end
+
+      # Handle relabel strategy - relabel to [OTHER]
+      # @param metric_name [String] Metric name
+      # @param key [Symbol] Label key
+      # @param value [Object] Label value
+      # @param safe_labels [Hash] Current safe labels hash (modified in place)
+      def handle_relabel(metric_name, key, value, safe_labels)
+        # Relabel to [OTHER] to preserve some signal
+        other_value = "[OTHER]"
+
+        # Force-track [OTHER] as a special aggregate value
+        # This bypasses limit checks since [OTHER] represents multiple overflow values
+        @tracker.force_track(metric_name, key, other_value)
+
+        # Add [OTHER] to safe_labels
+        safe_labels[key] = other_value
+
+        return unless defined?(::Rails) && ::Rails.logger&.debug?
+
+        ::Rails.logger.debug(
+          "[E11y] Cardinality limit exceeded: #{metric_name}:#{key}=#{value} " \
+          "(relabeled to [OTHER])"
+        )
+      end
+
+      # Send alert to configured destinations
+      # @param data [Hash] Alert data
+      def send_alert(data)
+        # Call custom callback if provided
+        @alert_callback&.call(data)
+
+        # Send to Sentry if available
+        send_sentry_alert(data) if sentry_available?
+      end
+
+      # Send alert to Sentry
+      # @param data [Hash] Alert data
+      def send_sentry_alert(data)
+        require "sentry-ruby" if defined?(Sentry)
+
+        ::Sentry.with_scope do |scope|
+          scope.set_tags(
+            metric_name: data[:metric_name].to_s,
+            label_key: data[:label_key].to_s,
+            overflow_strategy: @overflow_strategy.to_s
+          )
+
+          scope.set_extras(data)
+
+          level = data[:severity] == :error ? :error : :warning
+
+          ::Sentry.capture_message(
+            "[E11y] #{data[:message]}: #{data[:metric_name]}",
+            level: level
+          )
+        end
+      rescue LoadError, NameError
+        # Sentry not available, skip
+      end
+
+      # Check if Sentry is available
+      # @return [Boolean]
+      def sentry_available?
+        defined?(::Sentry) && ::Sentry.initialized?
+      end
+
+      # Track cardinality metric via Yabeda
+      # @param metric_name [String] Metric name
+      # @param action [Symbol] Action type (:threshold_exceeded, :drop, :alert, :relabel)
+      # @param value [Integer] Metric value
+      # rubocop:disable Metrics/MethodLength
+      # Cardinality tracking requires incrementing overflow counters and updating gauge metrics
+      def track_cardinality_metric(metric_name, action, value)
+        return unless defined?(E11y::Metrics)
+
+        # Track overflow actions
+        E11y::Metrics.increment(
+          :e11y_cardinality_overflow_total,
+          {
+            metric: metric_name,
+            action: action.to_s,
+            strategy: @overflow_strategy.to_s
+          }
+        )
+
+        # Track current cardinality
+        E11y::Metrics.gauge(
+          :e11y_cardinality_current,
+          value,
+          { metric: metric_name }
+        )
+      rescue StandardError => e
+        # Don't fail on metrics tracking errors
+        warn "E11y: Failed to track cardinality metric: #{e.message}"
       end
+      # rubocop:enable Metrics/MethodLength
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/e11y/metrics/cardinality_tracker.rb

@@ -54,6 +54,23 @@ module E11y
         end
       end
 
+      # Force-track a label value, bypassing limit checks
+      #
+      # Used for special aggregate values like "[OTHER]" that need to be tracked
+      # even when limit is exceeded.
+      # Thread-safe operation.
+      #
+      # @param metric_name [String] Metric name
+      # @param label_key [Symbol, String] Label key
+      # @param label_value [Object] Label value to track
+      # @return [void]
+      def force_track(metric_name, label_key, label_value)
+        @mutex.synchronize do
+          value_set = @tracker[metric_name][label_key]
+          value_set.add(label_value) unless value_set.include?(label_value)
+        end
+      end
+
       # Check if metric+label has exceeded cardinality limit
       #
       # @param metric_name [String] Metric name

data/lib/e11y/metrics/registry.rb

@@ -23,6 +23,8 @@ module E11y
     # @example Find matching metrics
     #   metrics = registry.find_matching('order.paid')
     #   # => [{ type: :counter, name: :orders_total, ... }]
+    # rubocop:disable Metrics/ClassLength
+    # Registry is a cohesive singleton managing metric definitions and pattern matching
     class Registry
       include Singleton
 
@@ -161,7 +163,8 @@ module E11y
       # @param new_config [Hash] New metric configuration
       # @raise [TypeConflictError] if types don't match
       # @raise [LabelConflictError] if labels don't match
-      # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      # Conflict validation requires checking type and labels with detailed error messages
       def validate_no_conflicts!(existing, new_config)
         # Check 1: Type must match
         if existing[:type] != new_config[:type]
@@ -212,7 +215,7 @@ module E11y
           Using existing buckets.
         WARNING
       end
-      # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
+      # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
 
       # Compile glob pattern to regex
       # @param pattern [String] Glob pattern (e.g., "order.*", "user.*.created")
@@ -230,5 +233,6 @@ module E11y
         Regexp.new("\\A#{regex_pattern}\\z")
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/e11y/metrics/relabeling.rb

@@ -165,62 +165,6 @@ module E11y
       def size
         @mutex.synchronize { @rules.size }
       end
-
-      # Predefined common relabeling rules
-      module CommonRules
-        # HTTP status code to status class (1xx, 2xx, 3xx, 4xx, 5xx)
-        #
-        # @param value [Integer, String] HTTP status code
-        # @return [String] Status class
-        def self.http_status_class(value)
-          code = value.to_i
-          return "unknown" if code < 100 || code >= 600
-
-          "#{code / 100}xx"
-        end
-
-        # Path normalization - replace numeric IDs and UUIDs with placeholders
-        #
-        # @param value [String] URL path
-        # @return [String] Normalized path
-        def self.normalize_path(value)
-          value.to_s
-               .gsub(%r{/[a-f0-9-]{36}}, "/:uuid") # UUIDs (must be before :id to avoid partial match)
-               .gsub(%r{/[a-f0-9]{32}}, "/:hash") # MD5 hashes (must be before :id)
-               .gsub(%r{/\d+}, "/:id") # /users/123 -> /users/:id
-        end
-
-        # Region to region group (us-east-1 -> us, eu-west-2 -> eu)
-        #
-        # @param value [String] AWS-style region
-        # @return [String] Region group
-        def self.region_group(value)
-          case value.to_s
-          when /^us-/ then "us"
-          when /^eu-/ then "eu"
-          when /^ap-/ then "ap"
-          when /^sa-/ then "sa"
-          when /^ca-/ then "ca"
-          when /^af-/ then "af"
-          when /^me-/ then "me"
-          else "other"
-          end
-        end
-
-        # Duration classification (ms to fast/medium/slow)
-        #
-        # @param value [Numeric] Duration in milliseconds
-        # @return [String] Classification
-        def self.duration_class(value)
-          ms = value.to_f
-          case ms
-          when 0..100 then "fast"
-          when 101..1000 then "medium"
-          when 1001..5000 then "slow"
-          else "very_slow"
-          end
-        end
-      end
     end
   end
 end

data/lib/e11y/metrics.rb

@@ -91,7 +91,12 @@ module E11y
       def detect_backend
         # Check if Yabeda adapter is configured
         # Use class name string to avoid LoadError if Yabeda gem not installed
-        yabeda_adapter = E11y.config.adapters.values.find { |adapter| adapter.class.name == "E11y::Adapters::Yabeda" }
+        # rubocop:disable Style/ClassEqualityComparison
+        # Reason: instance_of?(::E11y::Adapters::Yabeda) would trigger LoadError when gem not installed
+        yabeda_adapter = E11y.config.adapters.values.find do |adapter|
+          adapter.class.name == "E11y::Adapters::Yabeda"
+        end
+        # rubocop:enable Style/ClassEqualityComparison
         return yabeda_adapter if yabeda_adapter
 
         # No backend configured → noop

data/lib/e11y/middleware/audit_signing.rb

@@ -39,14 +39,17 @@ module E11y
     class AuditSigning < Base
       middleware_zone :security
 
-      # HMAC signing key (from ENV or generated)
-      SIGNING_KEY = ENV.fetch("E11Y_AUDIT_SIGNING_KEY") do
-        # Development fallback (NOT for production!)
-        if defined?(Rails) && Rails.env.production?
-          raise E11y::Error, "E11Y_AUDIT_SIGNING_KEY must be set in production"
+      # Get HMAC signing key (from ENV or generated)
+      # @return [String] Signing key
+      def self.signing_key
+        @signing_key ||= ENV.fetch("E11Y_AUDIT_SIGNING_KEY") do
+          # Development fallback (NOT for production!)
+          if defined?(::Rails) && ::Rails.env.production?
+            raise E11y::Error, "E11Y_AUDIT_SIGNING_KEY must be set in production"
+          end
+
+          "development_key_#{SecureRandom.hex(32)}"
         end
-
-        "development_key_#{SecureRandom.hex(32)}"
       end
 
       # Initialize audit signing middleware
@@ -79,7 +82,7 @@ module E11y
 
         return false unless expected_signature && canonical
 
-        actual_signature = OpenSSL::HMAC.hexdigest("SHA256", SIGNING_KEY, canonical)
+        actual_signature = OpenSSL::HMAC.hexdigest("SHA256", signing_key, canonical)
         actual_signature == expected_signature
       end
       # rubocop:enable Naming/PredicateMethod
@@ -152,7 +155,7 @@ module E11y
       # @param data [String] Data to sign
       # @return [String] Hex-encoded signature
       def generate_signature(data)
-        OpenSSL::HMAC.hexdigest("SHA256", SIGNING_KEY, data)
+        OpenSSL::HMAC.hexdigest("SHA256", self.class.signing_key, data)
       end
 
       # Sort hash recursively for deterministic JSON

data/lib/e11y/middleware/pii_filter.rb

@@ -39,6 +39,8 @@ module E11y
     # @see ADR-006 PII Security & Compliance
     # @see UC-007 PII Filtering
     # @see E11y::PII::Patterns
+    # rubocop:disable Metrics/ClassLength
+    # PII filter is a cohesive security component with 3-tier filtering strategy
     class PIIFilter < Base
       middleware_zone :security
 
@@ -55,6 +57,8 @@ module E11y
       #
       # @param event_data [Hash] Event data with payload
       # @return [Hash] Processed event data
+      # rubocop:disable Lint/DuplicateBranch
+      # Unknown tiers intentionally fallback to no filtering (same as tier1)
       def call(event_data)
         # Determine filtering tier
         tier = determine_tier(event_data)
@@ -75,6 +79,7 @@ module E11y
           @app.call(event_data)
         end
       end
+      # rubocop:enable Lint/DuplicateBranch
 
       private
 
@@ -99,8 +104,7 @@ module E11y
         filtered_data = deep_dup(event_data)
 
         # Apply Rails parameter filter
-        filter = parameter_filter
-        filtered_data[:payload] = filter.filter(filtered_data[:payload])
+        filtered_data[:payload] = parameter_filter.filter(filtered_data[:payload])
 
         filtered_data
       end
@@ -139,6 +143,8 @@ module E11y
       # @param payload [Hash] Payload to filter
       # @param config [Hash] PII configuration
       # @return [Hash] Filtered payload
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength
+      # Field strategies require case/when for each PII filtering strategy type
       def apply_field_strategies(payload, config)
         return payload unless config
 
@@ -147,6 +153,8 @@ module E11y
         payload.each do |key, value|
           strategy = config.dig(:fields, key, :strategy) || :allow
 
+          # rubocop:disable Lint/DuplicateBranch
+          # Unknown strategies intentionally fallback to allow (same as :allow)
           filtered[key] = case strategy
                           when :mask
                             "[FILTERED]"
@@ -161,10 +169,12 @@ module E11y
                           else
                             value
                           end
+          # rubocop:enable Lint/DuplicateBranch
         end
 
         filtered
       end
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/MethodLength
 
       # Apply pattern-based filtering to string values
       #
@@ -250,17 +260,15 @@ module E11y
 
       # Get Rails parameter filter
       #
+      # Uses Rails.application.config.filter_parameters for PII filtering.
+      #
       # @return [ActiveSupport::ParameterFilter] Parameter filter
       def parameter_filter
-        @parameter_filter ||= if defined?(Rails)
-                                ActiveSupport::ParameterFilter.new(
-                                  Rails.application.config.filter_parameters
-                                )
-                              else
-                                # Fallback for non-Rails environments
-                                ActiveSupport::ParameterFilter.new([])
-                              end
+        @parameter_filter ||= ActiveSupport::ParameterFilter.new(
+          Rails.application.config.filter_parameters
+        )
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/e11y/middleware/request.rb

@@ -32,6 +32,8 @@ module E11y
       # Process request
       # @param env [Hash] Rack environment
       # @return [Array] Rack response [status, headers, body]
+      # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      # Rack middleware request processing requires sequential setup of tracing, context, buffer, and SLO tracking
       def call(env)
         request = Rack::Request.new(env)
 
@@ -50,7 +52,7 @@ module E11y
         E11y::Current.request_path = request.path
 
         # Start request-scoped buffer (for debug events)
-        E11y::Buffers::RequestScopedBuffer.start! if E11y.config.request_buffer&.enabled
+        E11y::Buffers::RequestScopedBuffer.initialize! if E11y.config.request_buffer&.enabled
 
         # Track request start time for SLO
         start_time = Time.now
@@ -68,20 +70,21 @@ module E11y
         [status, headers, body]
       rescue StandardError
         # Flush request buffer on error (includes debug events)
-        E11y::Buffers::RequestScopedBuffer.flush_on_error! if E11y.config.request_buffer&.enabled
+        E11y::Buffers::RequestScopedBuffer.flush_on_error if E11y.config.request_buffer&.enabled
 
         raise # Re-raise original exception
       ensure
-        # Flush request buffer on success (not on error, already flushed above)
+        # Discard request buffer on success (not on error, already flushed above)
         # We need to check if we're here from normal completion or exception
         # If there was an exception, buffer was already flushed in rescue block
         if !$ERROR_INFO && E11y.config.request_buffer&.enabled # No exception occurred
-          E11y::Buffers::RequestScopedBuffer.flush!
+          E11y::Buffers::RequestScopedBuffer.discard
         end
 
         # Reset context
         E11y::Current.reset
       end
+      # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
 
       private
 
@@ -138,6 +141,8 @@ module E11y
       # @param start_time [Time] Request start time
       # @return [void]
       # @api private
+      # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
+      # SLO tracking requires extracting controller/action, calculating duration, and error handling
       def track_http_request_slo(env, status, start_time)
         return unless E11y.config.slo_tracking&.enabled
 
@@ -158,6 +163,7 @@ module E11y
         # Don't fail if SLO tracking fails
         warn "[E11y] SLO tracking error: #{e.message}"
       end
+      # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity
     end
   end
 end