feat(metrics): add frontend and backend protocol distribution metrics

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -43,6 +43,33 @@ impl Drop for ConnectionGuard {
     }
 }
 
+/// RAII guard for frontend+backend protocol distribution tracking.
+/// Calls the appropriate _closed methods on drop for both frontend and backend.
+struct ProtocolGuard {
+    metrics: Arc<MetricsCollector>,
+    frontend_proto: Option<&'static str>,
+    backend_proto: Option<&'static str>,
+}
+
+impl ProtocolGuard {
+    fn new(metrics: Arc<MetricsCollector>, frontend: &'static str, backend: &'static str) -> Self {
+        metrics.frontend_protocol_opened(frontend);
+        metrics.backend_protocol_opened(backend);
+        Self { metrics, frontend_proto: Some(frontend), backend_proto: Some(backend) }
+    }
+}
+
+impl Drop for ProtocolGuard {
+    fn drop(&mut self) {
+        if let Some(proto) = self.frontend_proto {
+            self.metrics.frontend_protocol_closed(proto);
+        }
+        if let Some(proto) = self.backend_proto {
+            self.metrics.backend_protocol_closed(proto);
+        }
+    }
+}
+
 /// RAII guard that calls ConnectionTracker::connection_closed on drop.
 /// Ensures per-IP tracking is cleaned up on ALL exit paths — normal, error, or panic.
 struct ConnectionTrackerGuard {
@@ -1024,6 +1051,9 @@ impl TcpListenerManager {
                     peer_addr, target_host, target_port, domain
                 );
 
+                // Track as "other" protocol (non-HTTP passthrough)
+                let _proto_guard = ProtocolGuard::new(Arc::clone(&metrics), "other", "other");
+
                 let mut actual_buf = vec![0u8; n];
                 stream.read_exact(&mut actual_buf).await?;
 
@@ -1090,6 +1120,8 @@ impl TcpListenerManager {
                         "TLS Terminate + TCP: {} -> {}:{} (domain: {:?})",
                         peer_addr, target_host, target_port, domain
                     );
+                    // Track as "other" protocol (TLS-terminated non-HTTP)
+                    let _proto_guard = ProtocolGuard::new(Arc::clone(&metrics), "other", "other");
                     // Raw TCP forwarding of decrypted stream
                     let backend = match tokio::time::timeout(
                         connect_timeout,
@@ -1176,6 +1208,8 @@ impl TcpListenerManager {
                         "TLS Terminate+Reencrypt + TCP: {} -> {}:{}",
                         peer_addr, target_host, target_port
                     );
+                    // Track as "other" protocol (TLS-terminated non-HTTP, re-encrypted)
+                    let _proto_guard = ProtocolGuard::new(Arc::clone(&metrics), "other", "other");
                     Self::handle_tls_reencrypt_tunnel(
                         buf_stream, &target_host, target_port,
                         peer_addr, Arc::clone(&metrics), route_id,
@@ -1192,6 +1226,8 @@ impl TcpListenerManager {
                     Ok(())
                 } else {
                     // Plain TCP forwarding (non-HTTP)
+                    // Track as "other" protocol (plain TCP, non-HTTP)
+                    let _proto_guard = ProtocolGuard::new(Arc::clone(&metrics), "other", "other");
                     let mut backend = match tokio::time::timeout(
                         connect_timeout,
                         tokio::net::TcpStream::connect(format!("{}:{}", target_host, target_port)),