feat(monitoring): add Grafana provisioning, cAdvisor, Airflow admin user fix, and technical docs

- docker-compose.yml: add cAdvisor service (port 8088), Grafana provisioning
  volume mounts, Prometheus 15d retention + lifecycle API + healthchecks
- prometheus/prometheus.yml: add self-scrape, cAdvisor scrape job
- prometheus/grafana/: auto-provision Prometheus datasource (uid: prometheus-etl)
  and ETL overview dashboard (uid: etl-monitoring-v1, 15 panels) with correct
  PromQL metric names ({__name__=~'.*_requests_total', job=~'.+-service'})
- airflow/Dockerfile: idempotent admin user creation in CMD (fixes cold-start
  where no users existed)
- docs/access-credentials.md: central reference for all service URLs,
  credentials, env vars, security checklist
- docs/architecture.md: technical architecture guide — Arrow IPC rationale,
  4 communication patterns, Preparator SDK design, Kahn topological layering,
  parallel ThreadPoolExecutor, Gunicorn multi-worker implications, observability,
  XCom file-based pattern, security design, trade-offs

Author: VTvito

airflow/Dockerfile

@@ -14,4 +14,5 @@ RUN mkdir -p /opt/airflow/dags /opt/airflow/logs /opt/airflow/plugins
 ENV PYTHONPATH="/opt/airflow/"
 
 # CMD per avvio servizi (db migrate ensures schema exists on first boot)
-CMD ["bash", "-c", "airflow db migrate && (airflow webserver & airflow scheduler)"]
+# Creates admin user on first boot only (idempotent: skips if already exists)
+CMD ["bash", "-c", "airflow db migrate && (airflow users list | grep -q admin || airflow users create --username admin --password admin --firstname Admin --lastname ETL --role Admin --email admin@etl.local) && (airflow webserver & airflow scheduler)"]

docker-compose.yml

@@ -65,6 +65,17 @@ services:
     networks:
       - etl-network
     restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:9090/-/healthy || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    command:
+      - --config.file=/etc/prometheus/prometheus.yml
+      - --storage.tsdb.path=/etc/prometheus/data
+      - --storage.tsdb.retention.time=15d
+      - --web.enable-lifecycle
 
   grafana:
     image: grafana/grafana:latest
@@ -74,11 +85,43 @@ services:
       - GF_SECURITY_ADMIN_PASSWORD=${GF_SECURITY_ADMIN_PASSWORD:-change-me-strong-password}
     volumes:
       - etl-grafana-data:/var/lib/grafana
+      - ./prometheus/grafana/provisioning:/etc/grafana/provisioning:ro
+      - ./prometheus/grafana/dashboards:/etc/grafana/provisioned-dashboards:ro
     ports:
       - "3000:3000"
     networks:
       - etl-network
+    depends_on:
+      - prometheus
     restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3000/api/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:latest
+    container_name: cadvisor
+    privileged: true
+    devices:
+      - /dev/kmsg:/dev/kmsg
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /cgroup:/cgroup:ro
+    ports:
+      - "8088:8080"
+    networks:
+      - etl-network
+    command:
+      - --docker_only=true
+      - --housekeeping_interval=15s
+      - --disable_metrics=advtcp,cpu_topology,cpuset,hugetlb,memory_numa,process,referenced_memory,resctrl,sched,tcp,udp
+    restart: unless-stopped
 
 # Microservices
   extract-csv-service:

docs/access-credentials.md

@@ -0,0 +1,118 @@
+# Access & Credentials — ETL Microservices Platform
+
+> **Security note:** I valori mostrati qui sono i **default di sviluppo** definiti in `.env.example`.  
+> In produzione, sovrascrivili tutti nel file `.env` (mai committare `.env` su Git).
+
+---
+
+## Quick Reference — Service URLs
+
+| Servizio | URL | Credenziali |
+|---|---|---|
+| **Grafana** (dashboard monitoraggio) | http://localhost:3000 | `admin` / `change-me-strong-password` |
+| **Prometheus** (metriche raw) | http://localhost:9090 | — nessuna auth — |
+| **Airflow** (orchestrazione DAG) | http://localhost:8080 | `admin` / `admin` (creato al primo avvio) |
+| **Streamlit UI** (AI pipeline builder) | http://localhost:8501 | — nessuna auth — |
+| **cAdvisor** (container metrics) | http://localhost:8088 | — nessuna auth — |
+| **PostgreSQL** (DB interno Airflow) | `localhost:5432` | `airflow` / `change-me-strong-password` |
+| **statsd-exporter** (metrics Airflow→Prom) | http://localhost:9102/metrics | — nessuna auth — |
+
+---
+
+## ETL Microservices — Porte & Health Endpoints
+
+Tutti i servizi espongono `GET /health` e `GET /metrics`.
+
+| Container | Porta | Health check |
+|---|---|---|
+| `extract-csv-service` | 5001 | http://localhost:5001/health |
+| `clean-nan-service` | 5002 | http://localhost:5002/health |
+| `delete-columns-service` | 5004 | http://localhost:5004/health |
+| `extract-sql-service` | 5005 | http://localhost:5005/health |
+| `extract-api-service` | 5006 | http://localhost:5006/health |
+| `extract-excel-service` | 5007 | http://localhost:5007/health |
+| `join-datasets-service` | 5008 | http://localhost:5008/health |
+| `load-data-service` | 5009 | http://localhost:5009/health |
+| `data-quality-service` | 5010 | http://localhost:5010/health |
+| `outlier-detection-service` | 5011 | http://localhost:5011/health |
+| `text-completion-llm-service` | 5012 | http://localhost:5012/health |
+
+> **Porta 5003** — non assegnata (gap storico). Prossimo servizio disponibile: **5013**.
+
+---
+
+## Variabili d'Ambiente — `.env`
+
+Copia `.env.example` in `.env` e modifica i valori prima di avviare lo stack.
+
+```bash
+cp .env.example .env
+```
+
+| Variabile | Default | Descrizione |
+|---|---|---|
+| `POSTGRES_USER` | `airflow` | Username PostgreSQL |
+| `POSTGRES_PASSWORD` | `change-me-strong-password` | Password PostgreSQL ⚠️ cambia in produzione |
+| `POSTGRES_DB` | `airflow` | Nome database PostgreSQL |
+| `GF_SECURITY_ADMIN_PASSWORD` | `change-me-strong-password` | Password admin Grafana ⚠️ cambia in produzione |
+| `ETL_DATA_ROOT` | `/app/data` | Root directory dati nei container |
+| `ALLOW_PRIVATE_API_URLS` | `false` | Permette URL privati nell'extract-api-service |
+| `HF_MODELS_PATH` | `./hf_models` | Path locale cache modelli HuggingFace |
+| `LLM_PROVIDER` | `openai` | Provider AI: `openai` oppure `local` |
+| `OPENAI_API_KEY` | *(vuoto)* | API key OpenAI — richiesta se `LLM_PROVIDER=openai` |
+| `OPENAI_MODEL` | `gpt-4o-mini` | Modello OpenAI da usare |
+
+---
+
+## Credenziali Airflow
+
+L'utente admin viene creato automaticamente al primo avvio dal `CMD` nel Dockerfile Airflow
+(idempotente: se esiste già non lo ricrea).
+
+| Campo | Valore default |
+|---|---|
+| Username | `admin` |
+| Password | `admin` |
+| URL | http://localhost:8080 |
+
+> Se stai usando un'istanza già avviata **prima** di questa modifica, crea l'utente manualmente:
+> ```bash
+> docker exec airflow airflow users create \
+>   --username admin --password admin \
+>   --firstname Admin --lastname ETL \
+>   --role Admin --email admin@etl.local
+> ```
+> Cambia la password dopo il primo login: `Admin → Users → admin → Edit`.
+
+---
+
+## Grafana — Login
+
+| Campo | Valore default |
+|---|---|
+| URL | http://localhost:3000 |
+| Username | `admin` |
+| Password | valore di `GF_SECURITY_ADMIN_PASSWORD` nel `.env` (default: `change-me-strong-password`) |
+
+Il datasource **Prometheus** e il dashboard **ETL Microservices — Monitoring Overview** sono pre-caricati automaticamente tramite provisioning (non serve configurazione manuale).
+
+---
+
+## PostgreSQL — Connessione diretta
+
+SQLAlchemy URI (usata internamente da Airflow, utile anche per ispezione diretta):
+```
+postgresql+psycopg2://airflow:change-me-strong-password@localhost:5432/airflow
+```
+
+---
+
+## Checklist Sicurezza (Produzione)
+
+- [ ] Cambia `POSTGRES_PASSWORD` con una password forte
+- [ ] Cambia `GF_SECURITY_ADMIN_PASSWORD` con una password forte  
+- [ ] Imposta `OPENAI_API_KEY` con la tua chiave reale
+- [ ] Aggiungi autenticazione ai microservizi (attualmente open su rete interna)
+- [ ] Non esporre le porte ETL (5001–5012) su IP pubblici
+- [ ] Abilita HTTPS per Grafana e Airflow in ambienti esposti
+- [ ] Ruota credenziali Airflow admin dopo il primo login