Reviewed + verified locally (built, ran tests, read the OTel 1.44 SDK source, wrote throwaway tests for the edge cases). Core mechanism is correct — WithCardinalityLimit(0) genuinely means unlimited in the SDK, GoFr's option wins over the env-derived value, and bounding routeAttrs also fixes a real unbounded-map memory leak. Three things to fix:

1. (blocking) Matched, templated routes ending in a "static" extension get mislabeled /static/*. isStaticAsset(r.URL.Path) is the first switch case, so it runs before the matched route template is honored. Confirmed: GET /openapi.json on a registered route records path=/static/*, not /openapi.json. Any real API route ending in .json/.pdf/.html/... is bucketed as a static asset. Move the isStaticAsset check into the path == "" branch so it only applies when no route matched.

2. /static prefix is overbroad. HasPrefix(urlPath, "/static") (no trailing slash) collapses /static-report → /static/* (confirmed). Should be /static/.

3. Test doesn't guard the wiring it claims to. TestPrometheus_CardinalityLimitOption only asserts meter != nil — it'd still pass if the metricSdk.WithCardinalityLimit(...) line were deleted. Also no test for the container.go config parsing (valid / invalid→default fallback).

Minor: the app_http_response path-label change (/static/example.js→/static/*, raw 404s→/*) is a breaking change for existing dashboards but is only in the PR body/comments — worth a note in the docs too.

Thanks for the careful review — all three addressed in f6cfc4f.

1 (blocking) — matched templated routes mislabeled /static/*. Reordered the path resolution so a matched route template is honored first; the static/unmatched sentinels only apply when no template resolved. GET /openapi.json on a registered route now records path=/openapi.json. Guarded by TestMetrics_MatchedRouteWithStaticExtension. Also keep the root route as / instead of an empty label after trimming (TestMetrics_RootRouteLabel).

2 — /static prefix overbroad. Now requires /static/ (trailing slash), so /static-report is no longer collapsed. Guarded by a TestIsStaticAsset table test.

One consequence worth flagging: since static files are served via PathPrefix("/static/") (a matched route with template /static), honoring the template means those now label as /static rather than the /static/* sentinel — both bounded. The /static/* sentinel now only applies to static-looking requests that match no route (covered by TestMetrics_UnmatchedStaticAssetSentinel). Updated the existing static-file tests accordingly.

3 — tests didn't guard the wiring. Replaced the meter != nil check with TestPrometheus_CardinalityLimitApplied: it records past a limit of 1 against an isolated registry and asserts the overflow series appears (and is absent when unlimited). Verified it fails if metricSdk.WithCardinalityLimit(...) is removed. Extracted newPrometheusMeter to inject the registerer for deterministic scraping. Added TestContainer_cardinalityLimit for the config parsing (valid / 0 / invalid→default).

Minor — docs. Added a note in the observability docs covering the app_http_response path-label change and the cardinality limit / overflow behavior.

Re-reviewed the latest commits — rebuilt, re-ran tests/lint, and stood up a real GoFr server scraping /metrics. The three things I flagged are genuinely fixed and verified on a live server:

• /openapi.json registered route → path="/openapi.json" (no longer collapsed to /static/*) ✅
• /static/ prefix tightened (trailing slash) + TestIsStaticAsset ✅
• TestPrometheus_CardinalityLimitApplied now scrapes a real registry and asserts the otel.metric.overflow series — real wiring guard, fails if the SDK line is removed ✅
• docs note added; build/vet/gofmt/golangci-lint clean. 👍

One new thing surfaced on deeper inspection that I think should be addressed before merge:

isStaticAsset(), staticAssetPath (/static/*) and unmatchedPath (/*) are effectively dead code in a real GoFr app. GoFr unconditionally registers a catch-all router.PathPrefix("/") (gofr.go:175) whose GetPathTemplate() returns "/", so path is never empty → the path != "" branch always wins and the sentinel branches never execute. Verified on a running server:

• static files → path="/static" (via the PathPrefix("/static/") template, not isStaticAsset)
• static-looking 404s (/images/missing.png, /app.js) → path="/", not /static/*
• invented 404s + method-mismatch (POST/PUT/DELETE) → path="/", not /*

So the description's "collapse to bounded sentinels /static/* and /*" doesn't match real behavior (they collapse to /static and /), and TestMetrics_UnmatchedRouteBoundedLabel / TestMetrics_UnmatchedStaticAssetSentinel only pass because they build routers without GoFr's catch-all — they assert a path that never happens in the integrated framework.

Cardinality is still correctly bounded, so this isn't a correctness bug — it's dead code + a tests/description mismatch. Suggest either:

1. drop isStaticAsset + both sentinels and rely on the template + root special-case (already bounds everything), and fix the description; or
2. keep them deliberately as defense-in-depth, but say so and add an integration test that exercises the real GoFr router topology (with the catch-all) so the tests reflect reality.

Good catch — you're right, the catch-all PathPrefix("/") (gofr.go) means a template always resolves, so isStaticAsset + the /static/* and /* sentinels were dead code. Went with option 1 in 323611b.

• Removed isStaticAsset, staticAssetPath, unmatchedPath. The path label is now always the matched route template, trailing-slash trimmed, with an empty-template fallback to / (keeps the bound for any router without the catch-all).
• Verified on a running GoFr server scraping /metrics: /hello → /hello, /redis → /redis, and /no/such/route / /images/missing.png / /app.js all → /. No raw URLs, no /static/* or /*.
• Replaced the sentinel tests (which only passed without the catch-all) with TestMetrics_NoTemplateFallsBackToRoot and TestMetrics_GoFrRouterTopology — the latter builds the real topology (specific route + /static/ prefix + catch-all) and asserts templates / /static / /.
• Fixed the description to match (templates, /static, / — not the removed sentinels) and made METRICS_CARDINALITY_LIMIT a prominent section. Observability docs note updated too.

build/vet/golangci-lint clean; changed packages green (the local pkg/gofr failure is just port 2121 being held by another process on my box — unrelated to this diff).

Re-verified the latest commit (drop dead static/unmatched sentinels). Rebuilt, re-ran tests/vet/gofmt/golangci-lint, and stood up a real GoFr server scraping /metrics. The dead-code point is fully resolved and everything checks out.

What changed: isStaticAsset() + the /static/* and /* sentinels were removed; path resolution is now just template → trim trailing slash → fall back to /. The misleading isolated tests were dropped and replaced with TestMetrics_GoFrRouterTopology, which exercises the real router topology (specific route + PathPrefix("/static/") + catch-all PathPrefix("/")). The docs note was corrected to describe actual behavior (/static and /).

Live server /metrics confirms bounded labels, no raw-URL leakage:

• /static/example.js → path="/static"
• /openapi.json (registered route) → path="/openapi.json"
• /customer/42, /customer/777 → path="/customer/{id}"
• static-looking 404s, invented 404s, method-mismatch → path="/"
• no /*, no /static/*, no per-file/per-URL series

Checks: go build, go vet, gofmt, golangci-lint all clean on changed files; affected tests pass. Earlier items remain verified: configurable METRICS_CARDINALITY_LIMIT (0/negative = unlimited, confirmed against the OTel SDK source), the real cardinality-wiring test (registry scrape + otel.metric.overflow assertion), config-parsing test with fallback, and docs in both pages. Also genuinely fixes the original unbounded-cardinality + unbounded routeAttrs cache growth.

LGTM from my side — no outstanding issues. Only operational note: this is stacked on #3564, so #3564 should merge first, after which this retargets to development.