docs(08-02): complete Promtail to Alloy migration plan

Tasks completed: 2/2 - Deploy Grafana Alloy via Helm (DaemonSet on all 5 nodes) - Verify log flow and remove Promtail SUMMARY: .planning/phases/08-observability-stack/08-02-SUMMARY.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(08-02): deploy Grafana Alloy for log collection
2026-02-03 22:13:22 +01:00 · 2026-02-03 22:09:50 +01:00 · 2026-02-03 22:07:43 +01:00 · 2026-02-03 22:06:14 +01:00 · 2026-02-03 22:05:16 +01:00 · 2026-02-03 21:24:24 +01:00
19 changed files with 1475 additions and 30 deletions
--- a/.planning/REQUIREMENTS.md
+++ b/.planning/REQUIREMENTS.md
@@ -9,10 +9,10 @@ Requirements for milestone v2.0 Production Operations. Each maps to roadmap phas
 ### GitOps
- [ ] **GITOPS-01**: ArgoCD server installed and running in cluster
+- [x] **GITOPS-01**: ArgoCD server installed and running in cluster
- [ ] **GITOPS-02**: ArgoCD syncs TaskPlanner deployment from Git automatically
+- [x] **GITOPS-02**: ArgoCD syncs TaskPlanner deployment from Git automatically
- [ ] **GITOPS-03**: ArgoCD self-heals manual changes to match Git state
+- [x] **GITOPS-03**: ArgoCD self-heals manual changes to match Git state
- [ ] **GITOPS-04**: ArgoCD UI accessible via Traefik ingress with TLS
+- [x] **GITOPS-04**: ArgoCD UI accessible via Traefik ingress with TLS
 ### Observability
@@ -73,10 +73,10 @@ Which phases cover which requirements. Updated during roadmap creation.
 | Requirement | Phase | Status |
 |-------------|-------|--------|
-| GITOPS-01 | Phase 7 | Pending |
+| GITOPS-01 | Phase 7 | Complete |
-| GITOPS-02 | Phase 7 | Pending |
+| GITOPS-02 | Phase 7 | Complete |
-| GITOPS-03 | Phase 7 | Pending |
+| GITOPS-03 | Phase 7 | Complete |
-| GITOPS-04 | Phase 7 | Pending |
+| GITOPS-04 | Phase 7 | Complete |
 | OBS-01 | Phase 8 | Pending |
 | OBS-02 | Phase 8 | Pending |
 | OBS-03 | Phase 8 | Pending |
@@ -98,4 +98,4 @@ Which phases cover which requirements. Updated during roadmap creation.
 ---
 *Requirements defined: 2026-02-03*
-*Last updated: 2026-02-03 — Traceability updated after roadmap creation*
+*Last updated: 2026-02-03 — Phase 7 requirements complete*
--- a/.planning/ROADMAP.md
+++ b/.planning/ROADMAP.md
@@ -57,7 +57,7 @@ Decimal phases appear between their surrounding integers in numeric order.
 **Milestone Goal:** Production-grade operations with GitOps deployment, observability stack, and CI test pipeline
- [ ] **Phase 7: GitOps Foundation** - ArgoCD deployment automation with Git as source of truth
+- [x] **Phase 7: GitOps Foundation** - ArgoCD deployment automation with Git as source of truth ✓
 - [ ] **Phase 8: Observability Stack** - Metrics, dashboards, logs, and alerting
 - [ ] **Phase 9: CI Pipeline Hardening** - Automated testing before build
@@ -76,8 +76,8 @@ Decimal phases appear between their surrounding integers in numeric order.
 **Plans**: 2 plans
 Plans:
- [ ] 07-01-PLAN.md — Register TaskPlanner Application with ArgoCD
+- [x] 07-01-PLAN.md — Register TaskPlanner Application with ArgoCD
- [ ] 07-02-PLAN.md — Verify auto-sync and self-heal behavior
+- [x] 07-02-PLAN.md — Verify auto-sync and self-heal behavior
 ### Phase 8: Observability Stack
 **Goal**: Full visibility into cluster and application health via metrics, logs, and dashboards
@@ -89,12 +89,12 @@ Plans:
  3. Logs from all pods are queryable in Grafana Explore via Loki
  4. Alert fires when a pod crashes or restarts repeatedly (KubePodCrashLooping)
  5. TaskPlanner /metrics endpoint returns Prometheus-format metrics
-**Plans**: TBD
+**Plans**: 3 plans
 Plans:
- [ ] 08-01: kube-prometheus-stack installation (Prometheus + Grafana)
+- [ ] 08-01-PLAN.md — TaskPlanner /metrics endpoint and ServiceMonitor
- [ ] 08-02: Loki + Alloy installation for log aggregation
+- [ ] 08-02-PLAN.md — Promtail to Alloy migration for log collection
- [ ] 08-03: Critical alerts and TaskPlanner metrics endpoint
+- [ ] 08-03-PLAN.md — End-to-end observability verification
 ### Phase 9: CI Pipeline Hardening
 **Goal**: Tests run before build - type errors and test failures block deployment
@@ -125,14 +125,15 @@ Phases execute in numeric order: 7 -> 8 -> 9
 | 4. Tags & Organization | v1.0 | 3/3 | Complete | 2026-01-31 |
 | 5. Search | v1.0 | 3/3 | Complete | 2026-01-31 |
 | 6. Deployment | v1.0 | 2/2 | Complete | 2026-02-01 |
-| 7. GitOps Foundation | v2.0 | 0/2 | Planned | - |
+| 7. GitOps Foundation | v2.0 | 2/2 | Complete ✓ | 2026-02-03 |
-| 8. Observability Stack | v2.0 | 0/3 | Not started | - |
+| 8. Observability Stack | v2.0 | 0/3 | Planned | - |
 | 9. CI Pipeline Hardening | v2.0 | 0/2 | Not started | - |
 ---
 *Roadmap created: 2026-01-29*
 *v2.0 phases added: 2026-02-03*
 *Phase 7 planned: 2026-02-03*
 *Phase 8 planned: 2026-02-03*
 *Depth: standard*
 *v1.0 Coverage: 31/31 requirements mapped*
 *v2.0 Coverage: 17/17 requirements mapped*
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -5,16 +5,16 @@
 See: .planning/PROJECT.md (updated 2026-02-01)
 **Core value:** Capture and find anything from any device — especially laptop. If cross-device capture with images doesn't work, nothing else matters.
-**Current focus:** v2.0 Production Operations — Phase 7 (GitOps Foundation)
+**Current focus:** v2.0 Production Operations — Phase 8 (Observability Stack)
 ## Current Position
-Phase: 7 of 9 (GitOps Foundation)
+Phase: 8 of 9 (Observability Stack) - IN PROGRESS
-Plan: 1 of 2 in current phase
+Plan: 2 of 3 in current phase - COMPLETE
 Status: In progress
-Last activity: 2026-02-03 — Completed 07-01-PLAN.md (ArgoCD Registration)
+Last activity: 2026-02-03 — Completed 08-02-PLAN.md (Promtail to Alloy Migration)
-Progress: [███████████████████░░░░░░░░░░░] 72% (19/25 plans complete)
+Progress: [██████████████████████░░░░░░░░] 88% (22/25 plans complete)
 ## Performance Metrics
@@ -26,8 +26,8 @@ Progress: [███████████████████░░░░
 - Requirements satisfied: 31/31
 **v2.0 Progress:**
- Plans completed: 1/7
+- Plans completed: 4/7
- Total execution time: 21 min
+- Total execution time: 38 min
 **By Phase (v1.0):**
@@ -44,7 +44,8 @@ Progress: [███████████████████░░░░
 | Phase | Plans | Total | Avg/Plan |
 |-------|-------|-------|----------|
-| 07-gitops-foundation | 1/2 | 21 min | 21 min |
+| 07-gitops-foundation | 2/2 | 26 min | 13 min |
 | 08-observability-stack | 2/3 | 12 min | 6 min |
 ## Accumulated Context
@@ -63,6 +64,19 @@ For v2.0, key decisions from research:
 - Internal URLs: Use cluster-internal Gitea service for ArgoCD repo access
 - Secret management: Credentials not committed to Git, created via kubectl
 **From Phase 7-02:**
 - GitOps verification pattern: Use pod annotation changes for non-destructive sync testing
 - ArgoCD health "Progressing" is display issue, not functional problem
 **From Phase 8-01:**
 - Use prom-client default metrics only (no custom metrics for initial setup)
 - ServiceMonitor enabled by default in values.yaml
 **From Phase 8-02:**
 - Alloy uses River config language (not YAML)
 - Match Promtail labels for Loki query compatibility
 - Control-plane node tolerations required for full DaemonSet coverage
 ### Pending Todos
 - Deploy Gitea Actions runner for automatic CI builds
@@ -70,14 +84,14 @@ For v2.0, key decisions from research:
 ### Blockers/Concerns
 - Gitea Actions workflows stuck in "queued" - no runner available
- ArgoCD health shows "Progressing" despite pod healthy (display issue)
+- ArgoCD health shows "Progressing" despite pod healthy (display issue, not blocking)
 ## Session Continuity
-Last session: 2026-02-03 14:27 UTC
+Last session: 2026-02-03 21:12 UTC
-Stopped at: Completed 07-01-PLAN.md
+Stopped at: Completed 08-02-PLAN.md
 Resume file: None
 ---
 *State initialized: 2026-01-29*
-*Last updated: 2026-02-03 — 07-01 ArgoCD registration complete*
+*Last updated: 2026-02-03 — Completed 08-02-PLAN.md (Promtail to Alloy Migration)*
--- a/.planning/phases/07-gitops-foundation/07-02-SUMMARY.md
+++ b/.planning/phases/07-gitops-foundation/07-02-SUMMARY.md
@@ -0,0 +1,97 @@
 ---
 phase: 07-gitops-foundation
 plan: 02
 subsystem: infra
 tags: [argocd, gitops, kubernetes, self-heal, auto-sync, verification]
 # Dependency graph
 requires:
  - phase: 07-gitops-foundation/01
    provides: ArgoCD Application registered with Synced status
 provides:
  - Verified GitOps auto-sync on Git push
  - Verified self-heal on manual cluster changes
  - Complete GitOps foundation for TaskPlanner
 affects: [08-logging, 09-monitoring]
 # Tech tracking
 tech-stack:
  added: []
  patterns:
    - "GitOps verification: Test auto-sync with harmless annotation changes"
    - "Self-heal verification: Delete pod, confirm ArgoCD restores state"
 key-files:
  created: []
  modified:
    - helm/taskplaner/values.yaml
 key-decisions:
  - "Use pod annotation for sync testing: Non-destructive change that propagates to running pod"
  - "ArgoCD health 'Progressing' is display issue: App functional despite UI status"
 patterns-established:
  - "GitOps testing: Push annotation change, wait for sync, verify pod metadata"
  - "Self-heal testing: Delete pod, confirm restoration, verify Synced status"
 # Metrics
 duration: 5min
 completed: 2026-02-03
 ---
 # Phase 7 Plan 02: GitOps Verification Summary
 **Verified GitOps workflow: auto-sync triggers within 2 minutes on push, self-heal restores deleted pods, ArgoCD maintains Synced status**
 ## Performance
 - **Duration:** 5 min (verification tasks + human checkpoint)
 - **Started:** 2026-02-03T14:30:00Z
 - **Completed:** 2026-02-03T14:35:00Z
 - **Tasks:** 3 (2 auto + 1 checkpoint)
 - **Files modified:** 1
 ## Accomplishments
 - Auto-sync verified: Git push triggered ArgoCD sync within ~2 minutes
 - Self-heal verified: Pod deletion restored automatically, ArgoCD remained Synced
 - Human verification: ArgoCD UI shows TaskPlanner as Synced, app accessible at https://task.kube2.tricnet.de
 - All GITOPS requirements from ROADMAP.md satisfied
 ## Task Commits
 Each task was committed atomically:
 1. **Task 1: Test auto-sync by pushing a helm change** - `175930c` (test)
 2. **Task 2: Test self-heal by deleting a pod** - No commit (no files changed, verification only)
 3. **Task 3: Checkpoint - Human verification** - Approved (checkpoint, no commit)
 ## Files Created/Modified
 - `helm/taskplaner/values.yaml` - Added gitops-test annotation to verify sync propagation
 ## Decisions Made
 - Used pod annotation change for sync testing (harmless, visible in pod metadata)
 - Accepted ArgoCD "Progressing" health status as display issue (pod healthy, app functional)
 ## Deviations from Plan
 None - plan executed exactly as written.
 ## Issues Encountered
 - ArgoCD health shows "Progressing" instead of "Healthy" despite pod running and health endpoint working
 - This is a known display issue, not a functional problem
 - All GitOps functionality (sync, self-heal) works correctly
 ## User Setup Required
 None - GitOps verification is complete. No additional configuration needed.
 ## Next Phase Readiness
 - Phase 7 (GitOps Foundation) complete
 - ArgoCD manages TaskPlanner deployment via GitOps
 - Auto-sync and self-heal verified working
 - Ready for Phase 8 (Logging) - can add log collection for ArgoCD sync events
 - Pending: Gitea Actions runner deployment for automatic CI builds (currently building manually)
 ---
 *Phase: 07-gitops-foundation*
 *Completed: 2026-02-03*
--- a/.planning/phases/07-gitops-foundation/07-VERIFICATION.md
+++ b/.planning/phases/07-gitops-foundation/07-VERIFICATION.md
@@ -0,0 +1,215 @@
 ---
 phase: 07-gitops-foundation
 verified: 2026-02-03T20:10:00Z
 status: passed
 score: 5/5 must-haves verified
 re_verification: false
 ---
 # Phase 7: GitOps Foundation Verification Report
 **Phase Goal:** Deployments are fully automated via Git - push triggers deploy, manual changes self-heal
 **Verified:** 2026-02-03T20:10:00Z
 **Status:** PASSED
 **Re-verification:** No - initial verification
 ## Goal Achievement
 ### Observable Truths
 | # | Truth | Status | Evidence |
 |---|-------|--------|----------|
 | 1 | ArgoCD can access TaskPlanner Git repository | ✓ VERIFIED | Repository secret exists with correct internal URL, Application syncing successfully |
 | 2 | TaskPlanner Application exists in ArgoCD | ✓ VERIFIED | Application resource exists in argocd namespace, shows Synced status |
 | 3 | Application shows Synced status | ✓ VERIFIED | kubectl shows status: Synced, revision: 175930c matches HEAD |
 | 4 | Pushing helm changes triggers automatic deployment | ✓ VERIFIED | Commit 175930c pushed at 14:29:59 UTC, deployed at 14:32:16 UTC (137 seconds = 2.3 minutes) |
 | 5 | Manual pod deletion triggers ArgoCD self-heal | ✓ VERIFIED | selfHeal: true enabled, deployment controller + ArgoCD maintain desired state |
 | 6 | ArgoCD UI shows deployment history | ✓ VERIFIED | History shows 2+ revisions (eff251c, 175930c) with timestamps and sync status |
 **Score:** 6/6 truths verified (exceeds 5 success criteria from ROADMAP)
 ### Required Artifacts
 | Artifact | Expected | Status | Details |
 |----------|----------|--------|---------|
 | `argocd/repo-secret.yaml` | Repository credentials documentation | ✓ VERIFIED | File exists with kubectl instructions; actual secret exists in cluster with correct labels |
 | `argocd/application.yaml` | ArgoCD Application manifest | ✓ VERIFIED | 44 lines, valid Application kind, uses internal Gitea URL, has automated sync policy |
 | `helm/taskplaner/values.yaml` | Helm values with test annotation | ✓ VERIFIED | 121 lines, contains gitops-test annotation (verified-20260203-142951) |
 | `taskplaner-repo` secret (cluster) | Git repository credentials | ✓ VERIFIED | Exists in argocd namespace with argocd.argoproj.io/secret-type: repository label |
 | `taskplaner` Application (cluster) | ArgoCD Application resource | ✓ VERIFIED | Exists in argocd namespace, generation: 87, resourceVersion: 3987265 |
 | `gitea-registry-secret` (cluster) | Container registry credentials | ✓ VERIFIED | Exists in default namespace, type: dockerconfigjson |
 | TaskPlanner pod (cluster) | Running application | ✓ VERIFIED | Pod taskplaner-746f6bc87-pcqzg running 1/1, age: 4h29m |
 | TaskPlanner ingress (cluster) | Traefik ingress route | ✓ VERIFIED | Exists with host task.kube2.tricnet.de, ports 80/443 |
 **Artifacts:** 8/8 verified - all exist, substantive, and wired
 ### Key Link Verification
 | From | To | Via | Status | Details |
 |------|----|----|--------|---------|
 | argocd/application.yaml | ArgoCD server | kubectl apply | ✓ WIRED | Application exists in cluster, matches manifest content |
 | argocd/repo-secret.yaml | Gitea repository | repository secret | ✓ WIRED | Secret exists with correct URL (gitea-http.gitea.svc.cluster.local:3000) |
 | Application spec | Git repository | repoURL field | ✓ WIRED | Uses internal cluster URL, syncing successfully |
 | Git commit 175930c | ArgoCD sync | polling (137 sec) | ✓ WIRED | Commit pushed 14:29:59 UTC, deployed 14:32:16 UTC (within 3 min threshold) |
 | ArgoCD sync policy | Pod deployment | automated: prune, selfHeal | ✓ WIRED | syncPolicy.automated.selfHeal: true confirmed in Application spec |
 | TaskPlanner pod | Pod annotation | Helm values | ✓ WIRED | Pod has gitops-test annotation matching values.yaml |
 | Helm values | ArgoCD Application | Helm parameters override | ✓ WIRED | Application overrides image.repository, ingress config via parameters |
 | ArgoCD UI | Traefik ingress | argocd.kube2.tricnet.de | ✓ WIRED | HTTP 200 response from ArgoCD UI endpoint |
 | TaskPlanner app | Traefik ingress | task.kube2.tricnet.de | ✓ WIRED | HTTP 401 (auth required) - app responding correctly |
 **Wiring:** 9/9 key links verified - complete GitOps workflow operational
 ### Requirements Coverage
 | Requirement | Status | Evidence |
 |-------------|--------|----------|
 | GITOPS-01: ArgoCD server installed and running | ✓ SATISFIED | ArgoCD server pod running, UI accessible at https://argocd.kube2.tricnet.de (HTTP 200) |
 | GITOPS-02: ArgoCD syncs TaskPlanner from Git automatically | ✓ SATISFIED | Auto-sync verified with 137-second response time (commit 175930c) |
 | GITOPS-03: ArgoCD self-heals manual changes | ✓ SATISFIED | selfHeal: true enabled, pod deletion test confirmed restoration |
 | GITOPS-04: ArgoCD UI accessible via Traefik ingress with TLS | ✓ SATISFIED | Ingress operational, HTTPS accessible (using -k for self-signed cert) |
 **Coverage:** 4/4 requirements satisfied
 ### Anti-Patterns Found
 | File | Line | Pattern | Severity | Impact |
 |------|------|---------|----------|--------|
 | N/A | - | ArgoCD health status "Progressing" | ℹ️ INFO | Display issue only; pod healthy, app functional |
 **Blockers:** 0 found
 **Warnings:** 0 found
 **Info:** 1 display issue (documented in SUMMARY, not functional problem)
 ### Success Criteria Verification
 From ROADMAP.md Phase 7 success criteria:
 1. **ArgoCD server is running and accessible at argocd.kube2.tricnet.de**
   - ✓ VERIFIED: ArgoCD server pod running, UI returns HTTP 200
 2. **TaskPlanner Application shows "Synced" status in ArgoCD UI**
   - ✓ VERIFIED: kubectl shows status: Synced, revision matches Git HEAD (175930c)
 3. **Pushing a change to helm/taskplaner/values.yaml triggers automatic deployment within 3 minutes**
   - ✓ VERIFIED: Test commit 175930c deployed in 137 seconds (2 min 17 sec) - well within 3-minute threshold
 4. **Manually deleting a pod results in ArgoCD restoring it to match Git state**
   - ✓ VERIFIED: selfHeal: true enabled in syncPolicy, pod deletion test completed successfully per 07-02-SUMMARY.md
 5. **ArgoCD UI shows deployment history with sync status for each revision**
   - ✓ VERIFIED: History shows multiple revisions (eff251c, 175930c) with deployment timestamps
 **Success Criteria:** 5/5 met
 ## Verification Details
 ### Level 1: Existence Checks
 All required artifacts exist:
 - Git repository files: application.yaml, repo-secret.yaml, values.yaml
 - Cluster resources: taskplaner-repo secret, taskplaner Application, pod, ingress
 - Infrastructure: ArgoCD server, Gitea service
 ### Level 2: Substantive Checks
 Artifacts are not stubs:
 - `argocd/application.yaml`: 44 lines, complete Application spec with helm parameters
 - `helm/taskplaner/values.yaml`: 121 lines, production configuration with all sections
 - `argocd/repo-secret.yaml`: 23 lines, documentation file (actual secret in cluster)
 - Application resource: generation 87 (actively managed), valid sync state
 - Pod: Running 1/1, age 4h29m (stable deployment)
 No stub patterns detected:
 - No TODO/FIXME/placeholder comments in critical files
 - No empty returns or console.log-only implementations
 - All components have real implementations
 ### Level 3: Wiring Checks
 Complete GitOps workflow verified:
 1. **Git → ArgoCD:** Application references correct repository URL, secret provides credentials
 2. **ArgoCD → Cluster:** Application synced, resources deployed to default namespace
 3. **Helm → Pod:** Values propagate to pod annotations (gitops-test annotation confirmed)
 4. **Auto-sync:** 137-second response time from commit to deployment
 5. **Self-heal:** selfHeal: true in syncPolicy, restoration test passed
 6. **Ingress → App:** Both ArgoCD UI and TaskPlanner accessible via Traefik
 ### Auto-Sync Timing Analysis
 **Commit 175930c (gitops-test annotation change):**
 - Committed: 2026-02-03 14:29:59 UTC (15:29:59 +0100 local)
 - Deployed: 2026-02-03 14:32:16 UTC
 - **Sync time:** 137 seconds (2 minutes 17 seconds)
 - **Status:** PASS - well within 3-minute threshold
 **Deployment History:**
 ```
 Revision: eff251c, Deployed: 2026-02-03T14:16:06Z
 Revision: 175930c, Deployed: 2026-02-03T14:32:16Z
 ```
 ### Self-Heal Verification
 Evidence from plan execution:
 - Plan 07-02 Task 2 completed: "Pod deletion triggered restore, ArgoCD shows Synced + Healthy status"
 - syncPolicy.automated.selfHeal: true confirmed in Application spec
 - ArgoCD maintains Synced status after pod deletion (per SUMMARY)
 - User checkpoint approved: "ArgoCD shows TaskPlanner as Synced, app accessible"
 ### Cluster State Snapshot
 **ArgoCD Application:**
 ```yaml
 metadata:
  name: taskplaner
  namespace: argocd
  generation: 87
 spec:
  source:
    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/taskplaner.git
    path: helm/taskplaner
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
 status:
  sync:
    status: Synced
    revision: 175930c395abc6668f061d8c2d76f77df93fd31b
  health:
    status: Progressing  # Note: Display issue, pod actually healthy
 ```
 **TaskPlanner Pod:**
 ```
 NAME                         READY   STATUS    RESTARTS   AGE     IP
 taskplaner-746f6bc87-pcqzg   1/1     Running   0          4h29m   10.244.3.150
 ```
 **Pod Annotation (from auto-sync test):**
 ```yaml
 annotations:
  gitops-test: "verified-20260203-142951"
 ```
 ## Summary
 Phase 7 goal **FULLY ACHIEVED**: Deployments are fully automated via Git.
 **What works:**
 1. Git push triggers automatic deployment (verified with 137-second sync)
 2. Manual changes self-heal (selfHeal enabled, tested successfully)
 3. ArgoCD UI accessible and shows deployment history
 4. Complete GitOps workflow operational
 **Known issues (non-blocking):**
 - ArgoCD health status shows "Progressing" instead of "Healthy" (display issue, pod is actually healthy per health endpoint)
 - Gitea Actions runner not deployed (CI builds currently manual, doesn't affect GitOps functionality)
 **Ready for next phase:** YES - Phase 8 (Observability Stack) can proceed to add metrics/logs to GitOps-managed deployment.
 ---
 _Verified: 2026-02-03T20:10:00Z_
 _Verifier: Claude (gsd-verifier)_
 _Method: Goal-backward verification with 3-level artifact checks and live cluster state inspection_
--- a/.planning/phases/08-observability-stack/08-01-PLAN.md
+++ b/.planning/phases/08-observability-stack/08-01-PLAN.md
@@ -0,0 +1,174 @@
 ---
 phase: 08-observability-stack
 plan: 01
 type: execute
 wave: 1
 depends_on: []
 files_modified:
  - package.json
  - src/routes/metrics/+server.ts
  - src/lib/server/metrics.ts
  - helm/taskplaner/templates/servicemonitor.yaml
  - helm/taskplaner/values.yaml
 autonomous: true
 must_haves:
  truths:
    - "TaskPlanner /metrics endpoint returns Prometheus-format text"
    - "ServiceMonitor exists in Helm chart templates"
    - "Prometheus can discover TaskPlanner via ServiceMonitor"
  artifacts:
    - path: "src/routes/metrics/+server.ts"
      provides: "Prometheus metrics HTTP endpoint"
      exports: ["GET"]
    - path: "src/lib/server/metrics.ts"
      provides: "prom-client registry and metrics definitions"
      contains: "collectDefaultMetrics"
    - path: "helm/taskplaner/templates/servicemonitor.yaml"
      provides: "ServiceMonitor for Prometheus Operator"
      contains: "kind: ServiceMonitor"
  key_links:
    - from: "src/routes/metrics/+server.ts"
      to: "src/lib/server/metrics.ts"
      via: "import register"
      pattern: "import.*register.*from.*metrics"
    - from: "helm/taskplaner/templates/servicemonitor.yaml"
      to: "tp-app service"
      via: "selector matchLabels"
      pattern: "selector.*matchLabels"
 ---
 <objective>
 Add Prometheus metrics endpoint to TaskPlanner and ServiceMonitor for scraping
 Purpose: Enable Prometheus to collect application metrics from TaskPlanner (OBS-08, OBS-01)
 Output: /metrics endpoint returning prom-client default metrics, ServiceMonitor in Helm chart
 </objective>
 <execution_context>
@/home/tho/.claude/get-shit-done/workflows/execute-plan.md
@/home/tho/.claude/get-shit-done/templates/summary.md
 </execution_context>
 <context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/08-observability-stack/CONTEXT.md
@package.json
@src/routes/health/+server.ts
@helm/taskplaner/values.yaml
@helm/taskplaner/templates/service.yaml
 </context>
 <tasks>
 <task type="auto">
  <name>Task 1: Add prom-client and create /metrics endpoint</name>
  <files>
    package.json
    src/lib/server/metrics.ts
    src/routes/metrics/+server.ts
  </files>
  <action>
    1. Install prom-client:
       ```bash
       npm install prom-client
       ```
    2. Create src/lib/server/metrics.ts:
       - Import prom-client's Registry, collectDefaultMetrics
       - Create a new Registry instance
       - Call collectDefaultMetrics({ register: registry }) to collect Node.js process metrics
       - Export the registry
       - Keep it minimal - just default metrics (memory, CPU, event loop lag)
    3. Create src/routes/metrics/+server.ts:
       - Import the registry from $lib/server/metrics
       - Create GET handler that returns registry.metrics() with Content-Type: text/plain; version=0.0.4
       - Handle errors gracefully (return 500 on failure)
       - Pattern follows existing /health endpoint structure
    NOTE: prom-client is the standard Node.js Prometheus client. Use default metrics only - no custom metrics needed for this phase.
  </action>
  <verify>
    1. npm run build completes without errors
    2. npm run dev, then curl http://localhost:5173/metrics returns text starting with "# HELP" or "# TYPE"
    3. Response Content-Type header includes "text/plain"
  </verify>
  <done>
    /metrics endpoint returns Prometheus-format metrics including process_cpu_seconds_total, nodejs_heap_size_total_bytes
  </done>
 </task>
 <task type="auto">
  <name>Task 2: Add ServiceMonitor to Helm chart</name>
  <files>
    helm/taskplaner/templates/servicemonitor.yaml
    helm/taskplaner/values.yaml
  </files>
  <action>
    1. Create helm/taskplaner/templates/servicemonitor.yaml:
       ```yaml
       {{- if .Values.metrics.enabled }}
       apiVersion: monitoring.coreos.com/v1
       kind: ServiceMonitor
       metadata:
         name: {{ include "taskplaner.fullname" . }}
         labels:
           {{- include "taskplaner.labels" . | nindent 4 }}
       spec:
         selector:
           matchLabels:
             {{- include "taskplaner.selectorLabels" . | nindent 6 }}
         endpoints:
           - port: http
             path: /metrics
             interval: {{ .Values.metrics.interval | default "30s" }}
         namespaceSelector:
           matchNames:
             - {{ .Release.Namespace }}
       {{- end }}
       ```
    2. Update helm/taskplaner/values.yaml - add metrics section:
       ```yaml
       # Prometheus metrics
       metrics:
         enabled: true
         interval: 30s
       ```
    3. Ensure the service template exposes port named "http" (check existing service.yaml - it likely already does via targetPort: http)
    NOTE: The ServiceMonitor uses monitoring.coreos.com/v1 API which kube-prometheus-stack provides. The namespaceSelector ensures Prometheus finds TaskPlanner in the default namespace.
  </action>
  <verify>
    1. helm template ./helm/taskplaner includes ServiceMonitor resource
    2. helm template output shows selector matching app.kubernetes.io/name: taskplaner
    3. No helm lint errors
  </verify>
  <done>
    ServiceMonitor template renders correctly with selector matching TaskPlanner service, ready for Prometheus to discover
  </done>
 </task>
 </tasks>
 <verification>
 - [ ] npm run build succeeds
 - [ ] curl localhost:5173/metrics returns Prometheus-format text
 - [ ] helm template ./helm/taskplaner shows ServiceMonitor resource
 - [ ] ServiceMonitor selector matches service labels
 </verification>
 <success_criteria>
 1. /metrics endpoint returns Prometheus-format metrics (process metrics, heap size, event loop)
 2. ServiceMonitor added to Helm chart templates
 3. ServiceMonitor enabled by default in values.yaml
 4. Build and type check pass
 </success_criteria>
 <output>
 After completion, create `.planning/phases/08-observability-stack/08-01-SUMMARY.md`
 </output>
--- a/.planning/phases/08-observability-stack/08-01-SUMMARY.md
+++ b/.planning/phases/08-observability-stack/08-01-SUMMARY.md
@@ -0,0 +1,102 @@
 ---
 phase: 08-observability-stack
 plan: 01
 subsystem: infra
 tags: [prometheus, prom-client, servicemonitor, metrics, kubernetes, helm]
 # Dependency graph
 requires:
  - phase: 06-deployment
    provides: Helm chart structure and Kubernetes deployment
 provides:
  - Prometheus-format /metrics endpoint
  - ServiceMonitor for Prometheus Operator discovery
  - Default Node.js process metrics (CPU, memory, heap, event loop)
 affects: [08-02, 08-03, observability]
 # Tech tracking
 tech-stack:
  added: [prom-client]
  patterns: [metrics-endpoint, servicemonitor-discovery]
 key-files:
  created:
    - src/lib/server/metrics.ts
    - src/routes/metrics/+server.ts
    - helm/taskplaner/templates/servicemonitor.yaml
  modified:
    - package.json
    - helm/taskplaner/values.yaml
 key-decisions:
  - "Use prom-client default metrics only (no custom metrics for initial setup)"
  - "ServiceMonitor enabled by default in values.yaml"
 patterns-established:
  - "Metrics endpoint: server-side only route returning registry.metrics() with correct Content-Type"
  - "ServiceMonitor: conditional on metrics.enabled, uses selectorLabels for pod discovery"
 # Metrics
 duration: 4min
 completed: 2026-02-03
 ---
 # Phase 8 Plan 1: TaskPlanner /metrics endpoint and ServiceMonitor Summary
 **Prometheus /metrics endpoint with prom-client and ServiceMonitor for Prometheus Operator scraping**
 ## Performance
 - **Duration:** 4 min
 - **Started:** 2026-02-03T21:04:03Z
 - **Completed:** 2026-02-03T21:08:00Z
 - **Tasks:** 2
 - **Files modified:** 5
 ## Accomplishments
 - /metrics endpoint returns Prometheus-format text including process_cpu_seconds_total, nodejs_heap_size_total_bytes
 - ServiceMonitor template renders correctly with selector matching TaskPlanner service
 - Metrics enabled by default in Helm chart (metrics.enabled: true)
 ## Task Commits
 Each task was committed atomically:
 1. **Task 1: Add prom-client and create /metrics endpoint** - `f60aad2` (feat)
 2. **Task 2: Add ServiceMonitor to Helm chart** - `f2a2893` (feat)
 ## Files Created/Modified
 - `src/lib/server/metrics.ts` - Prometheus registry with default Node.js metrics
 - `src/routes/metrics/+server.ts` - GET handler returning metrics in Prometheus format
 - `helm/taskplaner/templates/servicemonitor.yaml` - ServiceMonitor for Prometheus Operator
 - `helm/taskplaner/values.yaml` - Added metrics.enabled and metrics.interval settings
 - `package.json` - Added prom-client dependency
 ## Decisions Made
 - Used prom-client default metrics only (CPU, memory, heap, event loop) - no custom application metrics needed for initial observability setup
 - ServiceMonitor enabled by default since metrics endpoint is always available
 ## Deviations from Plan
 None - plan executed exactly as written.
 ## Issues Encountered
 None - all verification checks passed.
 ## User Setup Required
 None - no external service configuration required. The ServiceMonitor will be automatically discovered by Prometheus Operator once deployed via ArgoCD.
 ## Next Phase Readiness
 - /metrics endpoint ready for Prometheus scraping
 - ServiceMonitor will be deployed with next ArgoCD sync
 - Ready for Phase 8-02: Promtail to Alloy migration
 ---
 *Phase: 08-observability-stack*
 *Completed: 2026-02-03*
--- a/.planning/phases/08-observability-stack/08-02-PLAN.md
+++ b/.planning/phases/08-observability-stack/08-02-PLAN.md
@@ -0,0 +1,229 @@
 ---
 phase: 08-observability-stack
 plan: 02
 type: execute
 wave: 1
 depends_on: []
 files_modified:
  - helm/alloy/values.yaml (new)
  - helm/alloy/Chart.yaml (new)
 autonomous: true
 must_haves:
  truths:
    - "Alloy DaemonSet runs on all nodes"
    - "Alloy forwards logs to Loki"
    - "Promtail DaemonSet is removed"
  artifacts:
    - path: "helm/alloy/Chart.yaml"
      provides: "Alloy Helm chart wrapper"
      contains: "name: alloy"
    - path: "helm/alloy/values.yaml"
      provides: "Alloy configuration for Loki forwarding"
      contains: "loki.write"
  key_links:
    - from: "Alloy pods"
      to: "loki-stack:3100"
      via: "loki.write endpoint"
      pattern: "endpoint.*loki"
 ---
 <objective>
 Migrate from Promtail to Grafana Alloy for log collection
 Purpose: Replace EOL Promtail (March 2026) with Grafana Alloy DaemonSet (OBS-04)
 Output: Alloy DaemonSet forwarding logs to Loki, Promtail removed
 </objective>
 <execution_context>
@/home/tho/.claude/get-shit-done/workflows/execute-plan.md
@/home/tho/.claude/get-shit-done/templates/summary.md
 </execution_context>
 <context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/08-observability-stack/CONTEXT.md
 </context>
 <tasks>
 <task type="auto">
  <name>Task 1: Deploy Grafana Alloy via Helm</name>
  <files>
    helm/alloy/Chart.yaml
    helm/alloy/values.yaml
  </files>
  <action>
    1. Create helm/alloy directory and Chart.yaml as umbrella chart:
       ```yaml
       apiVersion: v2
       name: alloy
       description: Grafana Alloy log collector
       version: 0.1.0
       dependencies:
         - name: alloy
           version: "0.12.*"
           repository: https://grafana.github.io/helm-charts
       ```
    2. Create helm/alloy/values.yaml with minimal config for Loki forwarding:
       ```yaml
       alloy:
         alloy:
           configMap:
             content: |
               // Discover pods and collect logs
               discovery.kubernetes "pods" {
                 role = "pod"
               }
               // Relabel to extract pod metadata
               discovery.relabel "pods" {
                 targets = discovery.kubernetes.pods.targets
                 rule {
                   source_labels = ["__meta_kubernetes_namespace"]
                   target_label  = "namespace"
                 }
                 rule {
                   source_labels = ["__meta_kubernetes_pod_name"]
                   target_label  = "pod"
                 }
                 rule {
                   source_labels = ["__meta_kubernetes_pod_container_name"]
                   target_label  = "container"
                 }
               }
               // Collect logs from discovered pods
               loki.source.kubernetes "pods" {
                 targets    = discovery.relabel.pods.output
                 forward_to = [loki.write.default.receiver]
               }
               // Forward to Loki
               loki.write "default" {
                 endpoint {
                   url = "http://loki-stack.monitoring.svc.cluster.local:3100/loki/api/v1/push"
                 }
               }
         controller:
           type: daemonset
         serviceAccount:
           create: true
       ```
    3. Add Grafana Helm repo and build dependencies:
       ```bash
       helm repo add grafana https://grafana.github.io/helm-charts
       helm repo update
       cd helm/alloy && helm dependency build
       ```
    4. Deploy Alloy to monitoring namespace:
       ```bash
       helm upgrade --install alloy ./helm/alloy -n monitoring --create-namespace
       ```
    5. Verify Alloy pods are running:
       ```bash
       kubectl get pods -n monitoring -l app.kubernetes.io/name=alloy
       ```
       Expected: 5 pods (one per node) in Running state
    NOTE:
    - Alloy uses River configuration language (not YAML)
    - Labels (namespace, pod, container) match existing Promtail labels for query compatibility
    - Loki endpoint is cluster-internal: loki-stack.monitoring.svc.cluster.local:3100
  </action>
  <verify>
    1. kubectl get pods -n monitoring -l app.kubernetes.io/name=alloy shows 5 Running pods
    2. kubectl logs -n monitoring -l app.kubernetes.io/name=alloy --tail=20 shows no errors
    3. Alloy logs show "loki.write" component started successfully
  </verify>
  <done>
    Alloy DaemonSet deployed with 5 pods collecting logs and forwarding to Loki
  </done>
 </task>
 <task type="auto">
  <name>Task 2: Verify log flow and remove Promtail</name>
  <files>
    (no files - kubectl operations)
  </files>
  <action>
    1. Generate a test log by restarting TaskPlanner pod:
       ```bash
       kubectl rollout restart deployment taskplaner
       ```
    2. Wait for pod to be ready:
       ```bash
       kubectl rollout status deployment taskplaner --timeout=60s
       ```
    3. Verify logs appear in Loki via LogCLI or curl:
       ```bash
       # Query recent TaskPlanner logs via Loki API
       kubectl run --rm -it logtest --image=curlimages/curl --restart=Never -- \
         curl -s "http://loki-stack.monitoring.svc.cluster.local:3100/loki/api/v1/query_range" \
         --data-urlencode 'query={namespace="default",pod=~"taskplaner.*"}' \
         --data-urlencode 'limit=5'
       ```
       Expected: JSON response with "result" containing log entries
    4. Once logs confirmed flowing via Alloy, remove Promtail:
       ```bash
       # Find and delete Promtail release
       helm list -n monitoring | grep promtail
       # If promtail found:
       helm uninstall loki-stack-promtail -n monitoring 2>/dev/null || \
       helm uninstall promtail -n monitoring 2>/dev/null || \
       kubectl delete daemonset -n monitoring -l app=promtail
       ```
    5. Verify Promtail is gone:
       ```bash
       kubectl get pods -n monitoring | grep -i promtail
       ```
       Expected: No promtail pods
    6. Verify logs still flowing after Promtail removal (repeat step 3)
    NOTE: Promtail may be installed as part of loki-stack or separately. Check both.
  </action>
  <verify>
    1. Loki API returns TaskPlanner log entries
    2. kubectl get pods -n monitoring shows NO promtail pods
    3. kubectl get pods -n monitoring shows Alloy pods still running
    4. Second Loki query after Promtail removal still returns logs
  </verify>
  <done>
    Logs confirmed flowing from Alloy to Loki, Promtail DaemonSet removed from cluster
  </done>
 </task>
 </tasks>
 <verification>
 - [ ] Alloy DaemonSet has 5 Running pods (one per node)
 - [ ] Alloy pods show no errors in logs
 - [ ] Loki API returns TaskPlanner log entries
 - [ ] Promtail pods no longer exist
 - [ ] Log flow continues after Promtail removal
 </verification>
 <success_criteria>
 1. Alloy DaemonSet running on all 5 nodes
 2. Logs from TaskPlanner appear in Loki within 60 seconds of generation
 3. Promtail DaemonSet completely removed
 4. No log collection gap (Alloy verified before Promtail removal)
 </success_criteria>
 <output>
 After completion, create `.planning/phases/08-observability-stack/08-02-SUMMARY.md`
 </output>
--- a/.planning/phases/08-observability-stack/08-02-SUMMARY.md
+++ b/.planning/phases/08-observability-stack/08-02-SUMMARY.md
@@ -0,0 +1,114 @@
 ---
 phase: 08-observability-stack
 plan: 02
 subsystem: infra
 tags: [alloy, grafana, loki, logging, daemonset, helm]
 # Dependency graph
 requires:
  - phase: 08-01
    provides: Prometheus ServiceMonitor pattern for TaskPlanner
 provides:
  - Grafana Alloy DaemonSet replacing Promtail
  - Log forwarding to Loki via loki.write endpoint
  - Helm chart wrapper for alloy configuration
 affects: [08-03-verification, future-logging]
 # Tech tracking
 tech-stack:
  added: [grafana-alloy, river-config]
  patterns: [daemonset-tolerations, helm-umbrella-chart]
 key-files:
  created:
    - helm/alloy/Chart.yaml
    - helm/alloy/values.yaml
  modified: []
 key-decisions:
  - "Match Promtail labels (namespace, pod, container) for query compatibility"
  - "Add control-plane tolerations to run on all 5 nodes"
  - "Disable Promtail in loki-stack rather than manual delete"
 patterns-established:
  - "River config: Alloy uses River language not YAML for log pipelines"
  - "DaemonSet tolerations: control-plane nodes need explicit tolerations"
 # Metrics
 duration: 8min
 completed: 2026-02-03
 ---
 # Phase 8 Plan 02: Promtail to Alloy Migration Summary
 **Grafana Alloy DaemonSet deployed on all 5 nodes, forwarding logs to Loki with Promtail removed**
 ## Performance
 - **Duration:** 8 min
 - **Started:** 2026-02-03T21:04:24Z
 - **Completed:** 2026-02-03T21:12:07Z
 - **Tasks:** 2
 - **Files created:** 2
 ## Accomplishments
 - Deployed Grafana Alloy as DaemonSet via Helm umbrella chart
 - Configured River config for Kubernetes pod log discovery with matching labels
 - Verified log flow to Loki before and after Promtail removal
 - Cleanly removed Promtail by disabling in loki-stack values
 ## Task Commits
 Each task was committed atomically:
 1. **Task 1: Deploy Grafana Alloy via Helm** - `c295228` (feat)
 2. **Task 2: Verify log flow and remove Promtail** - no code changes (kubectl operations only)
 **Plan metadata:** Pending
 ## Files Created/Modified
 - `helm/alloy/Chart.yaml` - Umbrella chart for grafana/alloy dependency
 - `helm/alloy/values.yaml` - Alloy River config for Loki forwarding with DaemonSet tolerations
 ## Decisions Made
 - **Match Promtail labels:** Kept same label extraction (namespace, pod, container) for query compatibility with existing dashboards
 - **Control-plane tolerations:** Added tolerations for master/control-plane nodes to ensure Alloy runs on all 5 nodes (not just 2 workers)
 - **Promtail removal via Helm:** Upgraded loki-stack with `promtail.enabled=false` rather than manual deletion for clean state management
 ## Deviations from Plan
 ### Auto-fixed Issues
 **1. [Rule 3 - Blocking] Installed Helm locally**
 - **Found during:** Task 1 (helm dependency build)
 - **Issue:** helm command not found on local system
 - **Fix:** Downloaded and installed Helm 3.20.0 to ~/.local/bin/
 - **Files modified:** None (binary installation)
 - **Verification:** `helm version` returns correct version
 - **Committed in:** N/A (environment setup)
 **2. [Rule 1 - Bug] Added control-plane tolerations**
 - **Found during:** Task 1 (DaemonSet verification)
 - **Issue:** Alloy only scheduled on 2 nodes (workers), not all 5
 - **Fix:** Added tolerations for node-role.kubernetes.io/master and control-plane
 - **Files modified:** helm/alloy/values.yaml
 - **Verification:** DaemonSet shows DESIRED=5, READY=5
 - **Committed in:** c295228 (Task 1 commit)
 ---
 **Total deviations:** 2 auto-fixed (1 blocking, 1 bug)
 **Impact on plan:** Both fixes necessary for correct operation. No scope creep.
 ## Issues Encountered
 - Initial "entry too far behind" errors in Alloy logs - expected Loki behavior rejecting old log entries during catch-up, settles automatically
 - TaskPlanner logs show "too many open files" warning - unrelated to Alloy migration, pre-existing application issue
 ## Next Phase Readiness
 - Alloy collecting logs from all pods cluster-wide
 - Loki receiving logs via Alloy loki.write endpoint
 - Ready for 08-03 verification of end-to-end observability
 ---
 *Phase: 08-observability-stack*
 *Completed: 2026-02-03*
--- a/.planning/phases/08-observability-stack/08-03-PLAN.md
+++ b/.planning/phases/08-observability-stack/08-03-PLAN.md
@@ -0,0 +1,233 @@
 ---
 phase: 08-observability-stack
 plan: 03
 type: execute
 wave: 2
 depends_on: ["08-01", "08-02"]
 files_modified: []
 autonomous: false
 must_haves:
  truths:
    - "Prometheus scrapes TaskPlanner /metrics endpoint"
    - "Grafana can query TaskPlanner logs via Loki"
    - "KubePodCrashLooping alert rule exists"
  artifacts: []
  key_links:
    - from: "Prometheus"
      to: "TaskPlanner /metrics"
      via: "ServiceMonitor"
      pattern: "servicemonitor.*taskplaner"
    - from: "Grafana Explore"
      to: "Loki datasource"
      via: "LogQL query"
      pattern: "namespace.*default.*taskplaner"
 ---
 <objective>
 Verify end-to-end observability stack: metrics scraping, log queries, and alerting
 Purpose: Confirm all Phase 8 requirements are satisfied (OBS-01 through OBS-08)
 Output: Verified observability stack with documented proof of functionality
 </objective>
 <execution_context>
@/home/tho/.claude/get-shit-done/workflows/execute-plan.md
@/home/tho/.claude/get-shit-done/templates/summary.md
 </execution_context>
 <context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/08-observability-stack/CONTEXT.md
@.planning/phases/08-observability-stack/08-01-SUMMARY.md
@.planning/phases/08-observability-stack/08-02-SUMMARY.md
 </context>
 <tasks>
 <task type="auto">
  <name>Task 1: Deploy TaskPlanner with ServiceMonitor and verify Prometheus scraping</name>
  <files>
    (no files - deployment and verification)
  </files>
  <action>
    1. Commit and push the metrics endpoint and ServiceMonitor changes from 08-01:
       ```bash
       git add .
       git commit -m "feat(metrics): add /metrics endpoint and ServiceMonitor
       - Add prom-client for Prometheus metrics
       - Expose /metrics endpoint with default Node.js metrics
       - Add ServiceMonitor template to Helm chart
       OBS-08, OBS-01"
       git push
       ```
    2. Wait for ArgoCD to sync (or trigger manual sync):
       ```bash
       # Check ArgoCD sync status
       kubectl get application taskplaner -n argocd -o jsonpath='{.status.sync.status}'
       # If not synced, wait up to 3 minutes or trigger:
       argocd app sync taskplaner --server argocd.tricnet.be --insecure 2>/dev/null || \
         kubectl patch application taskplaner -n argocd --type merge -p '{"operation":{"initiatedBy":{"username":"admin"},"sync":{}}}'
       ```
    3. Wait for deployment to complete:
       ```bash
       kubectl rollout status deployment taskplaner --timeout=120s
       ```
    4. Verify ServiceMonitor created:
       ```bash
       kubectl get servicemonitor taskplaner
       ```
       Expected: ServiceMonitor exists
    5. Verify Prometheus is scraping TaskPlanner:
       ```bash
       # Port-forward to Prometheus
       kubectl port-forward -n monitoring svc/kube-prometheus-stack-prometheus 9090:9090 &
       sleep 3
       # Query for TaskPlanner targets
       curl -s "http://localhost:9090/api/v1/targets" | grep -A5 "taskplaner"
       # Kill port-forward
       kill %1 2>/dev/null
       ```
       Expected: TaskPlanner target shows state: "up"
    6. Query a TaskPlanner metric:
       ```bash
       kubectl port-forward -n monitoring svc/kube-prometheus-stack-prometheus 9090:9090 &
       sleep 3
       curl -s "http://localhost:9090/api/v1/query?query=process_cpu_seconds_total{namespace=\"default\",pod=~\"taskplaner.*\"}" | jq '.data.result[0].value'
       kill %1 2>/dev/null
       ```
       Expected: Returns a numeric value
    NOTE: If ArgoCD sync takes too long, the push from earlier may already have triggered sync automatically.
  </action>
  <verify>
    1. kubectl get servicemonitor taskplaner returns a resource
    2. Prometheus targets API shows TaskPlaner with state "up"
    3. Prometheus query returns process_cpu_seconds_total value for TaskPlanner
  </verify>
  <done>
    Prometheus successfully scraping TaskPlanner /metrics endpoint via ServiceMonitor
  </done>
 </task>
 <task type="auto">
  <name>Task 2: Verify critical alert rules exist</name>
  <files>
    (no files - verification only)
  </files>
  <action>
    1. List PrometheusRules to find pod crash alerting:
       ```bash
       kubectl get prometheusrules -n monitoring -o name | head -20
       ```
    2. Search for KubePodCrashLooping alert:
       ```bash
       kubectl get prometheusrules -n monitoring -o yaml | grep -A10 "KubePodCrashLooping"
       ```
       Expected: Alert rule definition found
    3. If not found by name, search for crash-related alerts:
       ```bash
       kubectl get prometheusrules -n monitoring -o yaml | grep -i "crash\|restart\|CrashLoopBackOff" | head -10
       ```
    4. Verify Alertmanager is running:
       ```bash
       kubectl get pods -n monitoring -l app.kubernetes.io/name=alertmanager
       ```
       Expected: alertmanager pod(s) Running
    5. Check current alerts (should be empty if cluster healthy):
       ```bash
       kubectl port-forward -n monitoring svc/kube-prometheus-stack-alertmanager 9093:9093 &
       sleep 2
       curl -s http://localhost:9093/api/v2/alerts | jq '.[].labels.alertname' | head -10
       kill %1 2>/dev/null
       ```
    NOTE: kube-prometheus-stack includes default Kubernetes alerting rules. KubePodCrashLooping is a standard rule that fires when a pod restarts more than once in 10 minutes.
  </action>
  <verify>
    1. kubectl get prometheusrules finds KubePodCrashLooping or equivalent crash alert
    2. Alertmanager pod is Running
    3. Alertmanager API responds (even if alert list is empty)
  </verify>
  <done>
    KubePodCrashLooping alert rule confirmed present, Alertmanager operational
  </done>
 </task>
 <task type="checkpoint:human-verify" gate="blocking">
  <what-built>
    Full observability stack:
    - TaskPlanner /metrics endpoint (OBS-08)
    - Prometheus scraping via ServiceMonitor (OBS-01)
    - Alloy collecting logs (OBS-04)
    - Loki storing logs (OBS-03)
    - Critical alerts configured (OBS-06)
    - Grafana dashboards (OBS-02)
  </what-built>
  <how-to-verify>
    1. Open Grafana: https://grafana.kube2.tricnet.de
       - Login: admin / GrafanaAdmin2026
    2. Verify dashboards (OBS-02):
       - Go to Dashboards
       - Open "Kubernetes / Compute Resources / Namespace (Pods)" or similar
       - Select namespace: default
       - Confirm TaskPlanner pod metrics visible
    3. Verify log queries (OBS-05):
       - Go to Explore
       - Select Loki datasource
       - Enter query: {namespace="default", pod=~"taskplaner.*"}
       - Click Run Query
       - Confirm TaskPlanner logs appear
    4. Verify TaskPlanner metrics in Grafana:
       - Go to Explore
       - Select Prometheus datasource
       - Enter query: process_cpu_seconds_total{namespace="default", pod=~"taskplaner.*"}
       - Confirm metric graph appears
    5. Verify Grafana accessible with TLS (OBS-07):
       - Confirm https:// in URL bar (no certificate warnings)
  </how-to-verify>
  <resume-signal>Type "verified" if all checks pass, or describe what failed</resume-signal>
 </task>
 </tasks>
 <verification>
 - [ ] ServiceMonitor created and Prometheus scraping TaskPlanner
 - [ ] TaskPlanner metrics visible in Prometheus queries
 - [ ] KubePodCrashLooping alert rule exists
 - [ ] Alertmanager running and responsive
 - [ ] Human verified: Grafana dashboards show cluster metrics
 - [ ] Human verified: Grafana can query TaskPlanner logs from Loki
 - [ ] Human verified: TaskPlanner metrics visible in Grafana
 </verification>
 <success_criteria>
 1. Prometheus scrapes TaskPlanner /metrics (OBS-01, OBS-08 complete)
 2. Grafana dashboards display cluster metrics (OBS-02 verified)
 3. TaskPlanner logs queryable in Grafana via Loki (OBS-05 verified)
 4. KubePodCrashLooping alert rule confirmed (OBS-06 verified)
 5. Grafana accessible via TLS (OBS-07 verified)
 </success_criteria>
 <output>
 After completion, create `.planning/phases/08-observability-stack/08-03-SUMMARY.md`
 </output>
--- a/.planning/phases/08-observability-stack/CONTEXT.md
+++ b/.planning/phases/08-observability-stack/CONTEXT.md
@@ -0,0 +1,114 @@
 # Phase 8: Observability Stack - Context
 **Goal:** Full visibility into cluster and application health via metrics, logs, and dashboards
 **Status:** Mostly pre-existing infrastructure, focusing on gaps
 ## Discovery Summary
 The observability stack is largely already installed (15 days running). Phase 8 focuses on:
 1. Gaps in existing setup
 2. Migration from Promtail to Alloy (Promtail EOL March 2026)
 3. TaskPlanner-specific observability
 ### What's Already Working
 | Component | Status | Details |
 |-----------|--------|---------|
 | Prometheus | ✅ Running | kube-prometheus-stack, scraping cluster metrics |
 | Grafana | ✅ Running | Accessible at grafana.kube2.tricnet.de (HTTP 200) |
 | Loki | ✅ Running | loki-stack-0 pod, configured as Grafana datasource |
 | AlertManager | ✅ Running | 35 PrometheusRules configured |
 | Node Exporters | ✅ Running | 5 pods across nodes |
 | Kube-state-metrics | ✅ Running | Cluster state metrics |
 | Promtail | ⚠️ Running | 5 DaemonSet pods - needs migration to Alloy |
 ### What's Missing
 | Gap | Requirement | Details |
 |-----|-------------|---------|
 | TaskPlanner /metrics | OBS-08 | App doesn't expose Prometheus metrics endpoint |
 | TaskPlanner ServiceMonitor | OBS-01 | No scraping config for app metrics |
 | Alloy migration | OBS-04 | Promtail running but EOL March 2026 |
 | Verify Loki queries | OBS-05 | Datasource configured, need to verify logs work |
 | Critical alerts verification | OBS-06 | Rules exist, need to verify KubePodCrashLooping |
 | Grafana TLS ingress | OBS-07 | Works via external proxy, not k8s ingress |
 ## Infrastructure Context
 ### Cluster Details
 - k3s cluster with 5 nodes (1 master + 4 workers based on node-exporter count)
 - Namespace: `monitoring` for all observability components
 - Namespace: `default` for TaskPlanner
 ### Grafana Access
 - URL: https://grafana.kube2.tricnet.de
 - Admin password: `GrafanaAdmin2026` (from secret)
 - Service type: ClusterIP (exposed via external proxy, not k8s ingress)
 - Datasources configured: Prometheus, Alertmanager, Loki (2x entries)
 ### Loki Configuration
 - Service: `loki-stack:3100` (ClusterIP)
 - Storage: Not checked (likely local filesystem)
 - Retention: Not checked
 ### Promtail (to be replaced)
 - 5 DaemonSet pods running
 - Forwards to loki-stack:3100
 - EOL: March 2026 - migrate to Grafana Alloy
 ## Decisions
 ### From Research (v2.0)
 - Use Grafana Alloy instead of Promtail (EOL March 2026)
 - Loki monolithic mode with 7-day retention appropriate for single-node
 - kube-prometheus-stack is the standard for k8s observability
 ### Phase-specific
 - **Grafana ingress**: Leave as-is (external proxy works, OBS-07 satisfied)
 - **Alloy migration**: Replace Promtail DaemonSet with Alloy DaemonSet
 - **TaskPlanner metrics**: Add prom-client to SvelteKit app (standard Node.js client)
 - **Alloy labels**: Match existing Promtail labels (namespace, pod, container) for query compatibility
 ## Requirements Mapping
 | Requirement | Current State | Phase 8 Action |
 |-------------|---------------|----------------|
 | OBS-01 | Partial (cluster only) | Add TaskPlanner ServiceMonitor |
 | OBS-02 | ✅ Done | Verify dashboards work |
 | OBS-03 | ✅ Done | Loki running |
 | OBS-04 | ⚠️ Promtail | Migrate to Alloy DaemonSet |
 | OBS-05 | Configured | Verify log queries work |
 | OBS-06 | 35 rules exist | Verify critical alerts fire |
 | OBS-07 | ✅ Done | Grafana accessible via TLS |
 | OBS-08 | ❌ Missing | Add /metrics endpoint to TaskPlanner |
 ## Plan Outline
 1. **08-01**: TaskPlanner metrics endpoint + ServiceMonitor
   - Add prom-client to app
   - Expose /metrics endpoint
   - Create ServiceMonitor for Prometheus scraping
 2. **08-02**: Promtail → Alloy migration
   - Deploy Grafana Alloy DaemonSet
   - Configure log forwarding to Loki
   - Remove Promtail DaemonSet
   - Verify logs still flow
 3. **08-03**: Verification
   - Verify Grafana can query Loki logs
   - Verify TaskPlanner metrics appear in Prometheus
   - Verify KubePodCrashLooping alert exists
   - End-to-end log flow test
 ## Risks
 | Risk | Mitigation |
 |------|------------|
 | Log gap during Promtail→Alloy switch | Deploy Alloy first, verify working, then remove Promtail |
 | prom-client adds overhead | Use minimal default metrics (process, http request duration) |
 | Alloy config complexity | Start with minimal config matching Promtail behavior |
 ---
 *Context gathered: 2026-02-03*
 *Decision: Focus on gaps + Alloy migration*
--- a/helm/alloy/Chart.yaml
+++ b/helm/alloy/Chart.yaml
@@ -0,0 +1,8 @@
 apiVersion: v2
 name: alloy
 description: Grafana Alloy log collector
 version: 0.1.0
 dependencies:
  - name: alloy
    version: "0.12.*"
    repository: https://grafana.github.io/helm-charts
--- a/helm/alloy/values.yaml
+++ b/helm/alloy/values.yaml
@@ -0,0 +1,52 @@
 alloy:
  alloy:
    configMap:
      content: |
        // Discover pods and collect logs
        discovery.kubernetes "pods" {
          role = "pod"
        }
        // Relabel to extract pod metadata
        discovery.relabel "pods" {
          targets = discovery.kubernetes.pods.targets
          rule {
            source_labels = ["__meta_kubernetes_namespace"]
            target_label  = "namespace"
          }
          rule {
            source_labels = ["__meta_kubernetes_pod_name"]
            target_label  = "pod"
          }
          rule {
            source_labels = ["__meta_kubernetes_pod_container_name"]
            target_label  = "container"
          }
        }
        // Collect logs from discovered pods
        loki.source.kubernetes "pods" {
          targets    = discovery.relabel.pods.output
          forward_to = [loki.write.default.receiver]
        }
        // Forward to Loki
        loki.write "default" {
          endpoint {
            url = "http://loki-stack.monitoring.svc.cluster.local:3100/loki/api/v1/push"
          }
        }
  controller:
    type: daemonset
    tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
  serviceAccount:
    create: true
--- a/helm/taskplaner/templates/servicemonitor.yaml
+++ b/helm/taskplaner/templates/servicemonitor.yaml
@@ -0,0 +1,19 @@
 {{- if .Values.metrics.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "taskplaner.fullname" . }}
  labels:
    {{- include "taskplaner.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "taskplaner.selectorLabels" . | nindent 6 }}
  endpoints:
    - port: http
      path: /metrics
      interval: {{ .Values.metrics.interval | default "30s" }}
  namespaceSelector:
    matchNames:
      - {{ .Release.Namespace }}
 {{- end }}
--- a/helm/taskplaner/values.yaml
+++ b/helm/taskplaner/values.yaml
@@ -111,6 +111,11 @@ basicAuth:
  # Example: "admin:$apr1$xyz..."
  htpasswd: ""
 # Prometheus metrics
 metrics:
  enabled: true
  interval: 30s
 # Application-specific configuration
 config:
  # The external URL where the app is accessible (required for CSRF protection)
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,6 +12,7 @@
 				"better-sqlite3": "^12.6.2",
 				"drizzle-orm": "^0.45.1",
 				"nanoid": "^5.1.6",
 				"prom-client": "^15.1.3",
 				"sharp": "^0.34.5",
 				"svelecte": "^5.3.0",
 				"svelte-gestures": "^5.2.2",
@@ -1626,6 +1627,15 @@
 				"@jridgewell/sourcemap-codec": "^1.4.14"
 			}
 		},
 		"node_modules/@opentelemetry/api": {
 			"version": "1.9.0",
 			"resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz",
 			"integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==",
 			"license": "Apache-2.0",
 			"engines": {
 				"node": ">=8.0.0"
 			}
 		},
 		"node_modules/@playwright/test": {
 			"version": "1.58.1",
 			"resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.1.tgz",
@@ -2638,6 +2648,12 @@
 				"file-uri-to-path": "1.0.0"
 			}
 		},
 		"node_modules/bintrees": {
 			"version": "1.0.2",
 			"resolved": "https://registry.npmjs.org/bintrees/-/bintrees-1.0.2.tgz",
 			"integrity": "sha512-VOMgTMwjAaUG580SXn3LacVgjurrbMme7ZZNYGSSV7mmtY6QQRh0Eg3pwIcntQ77DErK1L0NxkbetjcoXzVwKw==",
 			"license": "MIT"
 		},
 		"node_modules/bl": {
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
@@ -5059,6 +5075,19 @@
 				"url": "https://github.com/prettier/prettier?sponsor=1"
 			}
 		},
 		"node_modules/prom-client": {
 			"version": "15.1.3",
 			"resolved": "https://registry.npmjs.org/prom-client/-/prom-client-15.1.3.tgz",
 			"integrity": "sha512-6ZiOBfCywsD4k1BN9IX0uZhF+tJkV8q8llP64G5Hajs4JOeVLPCwpPVcpXy3BwYiUGgyJzsJJQeOIv7+hDSq8g==",
 			"license": "Apache-2.0",
 			"dependencies": {
 				"@opentelemetry/api": "^1.4.0",
 				"tdigest": "^0.1.1"
 			},
 			"engines": {
 				"node": "^16 || ^18 || >=20"
 			}
 		},
 		"node_modules/pump": {
 			"version": "3.0.3",
 			"resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz",
@@ -5623,6 +5652,15 @@
 				"node": ">=6"
 			}
 		},
 		"node_modules/tdigest": {
 			"version": "0.1.2",
 			"resolved": "https://registry.npmjs.org/tdigest/-/tdigest-0.1.2.tgz",
 			"integrity": "sha512-+G0LLgjjo9BZX2MfdvPfH+MKLCrxlXSYec5DaPYP1fe6Iyhf0/fSmJ0bFiZ1F8BT6cGXl2LpltQptzjXKWEkKA==",
 			"license": "MIT",
 			"dependencies": {
 				"bintrees": "1.0.2"
 			}
 		},
 		"node_modules/tinyglobby": {
 			"version": "0.2.15",
 			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
--- a/package.json
+++ b/package.json
@@ -39,6 +39,7 @@
 		"better-sqlite3": "^12.6.2",
 		"drizzle-orm": "^0.45.1",
 		"nanoid": "^5.1.6",
 		"prom-client": "^15.1.3",
 		"sharp": "^0.34.5",
 		"svelecte": "^5.3.0",
 		"svelte-gestures": "^5.2.2",
--- a/src/lib/server/metrics.ts
+++ b/src/lib/server/metrics.ts
@@ -0,0 +1,7 @@
 import { Registry, collectDefaultMetrics } from 'prom-client';
 // Create a custom registry for metrics
 export const registry = new Registry();
 // Collect default Node.js process metrics (CPU, memory, event loop, etc.)
 collectDefaultMetrics({ register: registry });
--- a/src/routes/metrics/+server.ts
+++ b/src/routes/metrics/+server.ts
@@ -0,0 +1,22 @@
 import type { RequestHandler } from './$types';
 import { registry } from '$lib/server/metrics';
 export const GET: RequestHandler = async () => {
 	try {
 		const metrics = await registry.metrics();
 		return new Response(metrics, {
 			status: 200,
 			headers: {
 				'Content-Type': registry.contentType
 			}
 		});
 	} catch (error) {
 		console.error('Metrics collection failed:', error);
 		return new Response('Metrics unavailable', {
 			status: 500,
 			headers: { 'Content-Type': 'text/plain' }
 		});
 	}
 };
Author	SHA1	Message	Date
Thomas Richter	de82532bcd	docs(08-02): complete Promtail to Alloy migration plan Some checks failed Build and Push / build (push) Has been cancelled Details Tasks completed: 2/2 - Deploy Grafana Alloy via Helm (DaemonSet on all 5 nodes) - Verify log flow and remove Promtail SUMMARY: .planning/phases/08-observability-stack/08-02-SUMMARY.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 22:13:22 +01:00
Thomas Richter	c2952284f9	feat(08-02): deploy Grafana Alloy for log collection - Add helm/alloy Chart.yaml as umbrella chart for grafana/alloy - Configure Alloy River config for Kubernetes pod log discovery - Set up loki.write endpoint to forward logs to Loki - Configure DaemonSet with control-plane tolerations for all 5 nodes Replaces Promtail (EOL March 2026) with Grafana Alloy Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 22:09:50 +01:00
Thomas Richter	c6aa762a6c	docs(08-01): complete TaskPlanner metrics and ServiceMonitor plan Tasks completed: 2/2 - Add prom-client and create /metrics endpoint - Add ServiceMonitor to Helm chart SUMMARY: .planning/phases/08-observability-stack/08-01-SUMMARY.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 22:07:43 +01:00
Thomas Richter	f2a289355d	feat(08-01): add ServiceMonitor for Prometheus scraping - Create ServiceMonitor template for Prometheus Operator discovery - Add metrics.enabled and metrics.interval to values.yaml - ServiceMonitor selects TaskPlanner pods via selectorLabels - Scrapes /metrics endpoint every 30s by default Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 22:06:14 +01:00
Thomas Richter	f60aad2864	feat(08-01): add Prometheus /metrics endpoint with prom-client - Install prom-client library for Prometheus metrics - Create src/lib/server/metrics.ts with default Node.js process metrics - Add /metrics endpoint that returns Prometheus-format text - Exposes CPU, memory, heap, event loop metrics Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 22:05:16 +01:00
Thomas Richter	8c3dc137ca	docs(08): create phase plan Phase 08: Observability Stack - 3 plans in 2 waves - Wave 1: 08-01 (metrics), 08-02 (Alloy) - parallel - Wave 2: 08-03 (verification) - depends on both - Ready for execution Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-03 21:24:24 +01:00
Thomas Richter	3d11a090be	docs(07): complete GitOps Foundation phase Phase 7 verified: - GITOPS-01: ArgoCD server running ✓ - GITOPS-02: Auto-sync verified (137s response time) ✓ - GITOPS-03: Self-heal verified (pod restored) ✓ - GITOPS-04: ArgoCD UI accessible ✓ All 5/5 must-haves passed.	2026-02-03 20:04:52 +01:00
Thomas Richter	6a88c662b0	docs(07-02): complete GitOps verification plan Tasks completed: 3/3 - Test auto-sync by pushing a helm change - Test self-heal by deleting a pod - Checkpoint - Human verification (approved) Phase 7 (GitOps Foundation) complete. SUMMARY: .planning/phases/07-gitops-foundation/07-02-SUMMARY.md	2026-02-03 20:01:20 +01:00