Can the REST interfaces ONLY be exposed via HTTPS?
Yes, if Grizzly adapter allows. Need to confirm.

Any other types of security?

What about access control - so only certain people can look?
No role base access for Prelude.

I prefer Flavour #1.

Once you pick a Flavour, you need to show inputs and outputs to
each REST URI.
Added example of response. We are still in the process of finalizing the object(and the attributes) to expose.

Will there also be the option of a SOAP (i.e., Metro) interface to monitoring?
I guess not.