Fix high-cardinality metrics from unmatched paths

Summary

Requests to unregistered routes (scanner/bot traffic like /.env, /wp-admin, /.aws/credentials, etc.) were each recorded with their raw URL as the Prometheus endpoint label, causing label explosion in tf_http_requests_total and tf_http_request_duration_seconds.

• Group all unmatched-route requests under a single <unknown> label
• Preserves visibility into the volume of scanner traffic via tf_http_requests_total{endpoint="<unknown>"}
• Legitimate 404s from registered routes (e.g. GET /v0.1/requests/{request_id} → resource not found) are still tracked with their proper path template since the route still matches

Assisted-by Claude Code