diff --git a/ocr-service/main.py b/ocr-service/main.py
index 489fd98e..bde3fb2f 100644
--- a/ocr-service/main.py
+++ b/ocr-service/main.py
@@ -43,6 +43,10 @@ logger = logging.getLogger(__name__)
 
 _models_ready = False
 
+# One-shot import-time binding to the default REGISTRY. Tests that need a
+# clean counter state must monkeypatch `main.metrics` with a container built
+# from a fresh CollectorRegistry — rebinding through the registry directly
+# will not retarget the references stored in the OcrMetrics dataclass.
 metrics: OcrMetrics = build_metrics(REGISTRY)
 
 ALLOWED_PDF_HOSTS = set(
@@ -117,6 +121,9 @@ async def lifespan(app: FastAPI):
 
 app = FastAPI(title="Familienarchiv OCR Service", lifespan=lifespan)
 
+# /metrics is unauthenticated — relies on Docker-internal-network exposure
+# only (CWE-200 risk if `ports:` ever maps 8000 to host). See
+# docs/OBSERVABILITY.md §Internal-only endpoints for the Caddy block snippet.
 Instrumentator(excluded_handlers=["/health", "/metrics"]).instrument(app).expose(app)
 
 
diff --git a/ocr-service/requirements.txt b/ocr-service/requirements.txt
index 8a9bedec..39c492cc 100644
--- a/ocr-service/requirements.txt
+++ b/ocr-service/requirements.txt
@@ -11,3 +11,4 @@ httpx==0.28.1
 pyspellchecker==0.9.0
 opencv-python-headless==4.11.0.86
 prometheus-fastapi-instrumentator==7.0.0
+prometheus-client==0.25.0