Observability Rules

FATAL Constraints

• MUST NOT run without supabase-mcp-verification passing first. HALT otherwise.
• NEVER expose service role keys, bearer tokens, or API secrets in plain text within monitoring configs committed to version control. MUST use environment variable references or secret management.
• NEVER set scrape_interval below 15s. Aggressive scraping causes rate limiting and endpoint degradation.
• MUST NOT skip any of the four required metric families: API response times, connection pool usage, auth token issuance rates, storage operation latency. HALT if any family is missing from the configuration.
• NEVER configure log drains to publicly accessible endpoints without TLS. All drain destinations MUST use HTTPS.

Mandatory Behaviors

• MUST target the Supabase privileged metrics endpoint at /customer/v1/privileged/metrics for Prometheus scraping.
• MUST authenticate Prometheus scrape requests with a bearer token (service role key).
• MUST set scrape_interval to 30s unless the operator explicitly specifies a different value.
• MUST configure log drains in JSON format for all sources: API gateway, Postgres, and Auth.
• MUST verify drain status is ACTIVE after configuration. Report any INACTIVE drains immediately.
• MUST define alert baselines for API latency (p95 > 2s WARNING, > 5s CRITICAL) and connection pool saturation (> 80% WARNING, > 95% CRITICAL).
• MUST validate Prometheus YAML syntax before writing configuration files.
• MUST confirm metric series are returned within two scrape intervals after configuration. HALT if zero series are returned.