Add alerts for silent failure modes found during staging validation

[scotwells]

Summary

Post-deploy validation of the alert rule changes (#140) found 5 issues in staging over the past week that were not caught by any alert. These represent gaps in our current alerting coverage.

Missing alerts

1. NATS consumer lag (critical gap)

The clickhouse-ingest consumer stalled for 10 hours with 15,544 messages stuck. No alert fired.

- alert: NATSConsumerLagHigh
  expr: nats_jetstream_consumer_num_pending{stream="AUDIT_EVENTS",consumer="clickhouse-ingest"} > 1000
  for: 5m

2. AuditLogQuery 504 errors

Users received 504 errors on audit log queries with no alert. The existing error rate alert uses a 1% threshold which is too high for low-traffic periods.

- alert: AuditLogQuery504Errors
  expr: rate(apiserver_request_total{job="activity-apiserver",code="504",resource="auditlogqueries"}[5m]) > 0
  for: 5m

3. ClickHouse query iteration errors

activity_clickhouse_query_errors_total{error_type="iteration"} indicates client disconnects or row iteration failures. No alert exists.

4. DLQ slow-leak detection

The existing DLQQueueGrowing alert requires >100 events in 15 minutes. A slow leak of ~59 events over a week goes undetected. Lower the threshold or add an hourly increase check.

5. Pipeline end-to-end latency

P99 pipeline latency spiked to 100-114s with no alert. Consider alerting on activity_pipeline_end_to_end_latency_seconds p99 > 30s.

[scotwells]

Production findings (March 19-26)

Production had more severe silent failures than staging. 8 issues found, none caught by alerting.

Critical

1. Automated polling client still running (ongoing)

• 5-6.5 req/s sustained for 16+ hours on Mar 25, resumed at 1.5 req/s after a brief stop
• 14x the normal baseline rate. Directly caused findings 2, 5, and 7 below.
• Tracked in Add per-user rate limiting and query timeouts for AuditLogQuery #136 (rate limiting)

High

2. ClickHouse concurrency saturation across all 3 shards

• 902 total ConcurrencyControlQueriesDelayed events over the week
• Queries actively throttled at ClickHouse layer with no alert
• Tracked in Add alert on ClickHouse ConcurrencyControlQueriesDelayed #138 (alert not yet added)

3. NATS clickhouse-ingest consumer stalled 10 hours (Mar 20)

• 15,544 messages stuck from 17:35 UTC Mar 20 to ~03:30 UTC Mar 21
• Audit events not queryable during this window. Consumer was completely frozen.

4. Vector-to-ClickHouse pipeline had a 48-hour zero-write gap (Mar 21-23)

• No events written from Mar 21 14:10 to Mar 23 14:50 — two full days
• Additional 26-hour gap Mar 24-25
• Audit log queries returned incomplete results with no indication

Medium

5. p50 latency hit 5.5s (Mar 23) — majority of users impacted

• Three events where median response time exceeded 1s (peaks: 5.5s, 3.25s, 2.5s)
• p99 peaked at 4.076s — just under the new 5s alert threshold

6. DLQ: 103 events over the week for dnsrecordset CEL errors

• Ongoing. Tracked in Fix CEL rules 12-14 in DNSRecordSet ActivityPolicy: requestObject missing recordType on PATCH dns-operator#36.

7. ClickHouse query failures on shard-0 (today)

• ~24 failures/hour correlating with polling client load

8. Processor NATS disconnects (Mar 25)

• Brief disconnects during peak polling load, auto-reconnected

Additional alerts needed (beyond what's in this issue)

• sum(rate(apiserver_request_total{resource="auditlogqueries",verb="POST"}[5m])) > 2 for 10m — sustained query rate
• activity:nats_consumer_lag > 1000 for 5m — consumer backlog
• activity:vector_writes_events:5m == 0 for 15m — Vector write pipeline stopped
• p50 latency alert for auditlogqueries POST > 1s
• Lower the p99 alert threshold from 5s to 3s (4.076s peak was just under 5s)

Most concerning

The 48-hour Vector write gap is the most severe finding — audit log completeness is the core value of this service and it was silently broken for two full days.