@pleri/olam-cli 0.1.161 → 0.1.166

package/host-cp/peripheral-services/manifests/90-prom-alert-cardinality.yaml

@@ -0,0 +1,50 @@
+# 90-prom-alert-cardinality.yaml — Phase C Task C2 cardinality alert rule.
+#
+# PrometheusRule CR: fires OlamActiveSeriesHigh when prometheus_tsdb_head_series
+# exceeds 80k (80% of the 100k active-series cap defined by P4).
+#
+# ruleSelector match: the Prometheus CR rendered by kube-prom-stack 85.2.0 uses
+#   ruleSelector: matchLabels: release: "olam-prom"
+# (verified via `helm template ... | grep -A3 ruleSelector`).
+# The label below MUST match or this rule is silently ignored by Prometheus.
+#
+# Alertmanager: enabled in kube-prom-stack-values.yaml from C2 onwards.
+# Receivers: not yet configured (C2 scope = rule landing; receiver config is C4+).
+# Alertmanager will fire the alert to its default null receiver until receivers
+# are wired — this is intentional. The alert is visible in the Prometheus UI
+# at /alerts regardless of receiver config.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-c-tasks.md — Task C2
+#       T1 (cardinality bomb) + P4 (<100k active series)
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: olam-cardinality
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: olam-prometheus-rules
+    app.kubernetes.io/managed-by: olam
+    # REQUIRED: matches Prometheus CR's ruleSelector (release: "olam-prom").
+    # Verified via helm template output, 2026-05-21.
+    release: olam-prom
+spec:
+  groups:
+    - name: olam-cardinality
+      interval: 30s
+      rules:
+        - alert: OlamActiveSeriesHigh
+          expr: |
+            prometheus_tsdb_head_series > 80000
+          for: 5m
+          labels:
+            severity: warning
+            scope: cardinality
+          annotations:
+            summary: "Active series above 80k threshold (80% of 100k cap)"
+            description: |
+              prometheus_tsdb_head_series is {{ $value | humanize }} — within 20%
+              of the 100k cardinality budget (P4). Investigate which service is
+              emitting a new high-cardinality label, OR add a DROP rule to
+              kube-prom-stack-values.yaml metricRelabelings for that ServiceMonitor.
+              Runbook: docs/architecture/observability-cardinality.md (TBD — C4+)

package/host-cp/peripheral-services/manifests/91-servicemonitor-host-cp.yaml

@@ -0,0 +1,70 @@
+# 91-servicemonitor-host-cp.yaml — Phase C Task C3 ServiceMonitor for host-cp.
+#
+# Registers host-cp's /metrics endpoint with Prometheus for scraping.
+#
+# NOTE: This manifest requires the ServiceMonitor CRD installed by
+# kube-prometheus-stack (Phase C Task C1). It is SKIPPED by
+# apply-manifests.sh (which targets the Phase A ingress harness) and is
+# applied by the phase-c-e2e harness after kube-prom-stack ships CRDs.
+#
+# Namespace placement (CRITICAL — C2 dogfood lesson):
+#   ServiceMonitors MUST live in the `monitoring` namespace to be discovered
+#   by the Prometheus CR's serviceMonitorNamespaceSelector. A ServiceMonitor
+#   in any other namespace is silently ignored by default RBAC.
+#
+# Label compliance:
+#   `release: olam-prom` matches the Prometheus CR's serviceMonitorSelector
+#   (verified via `helm template ... | grep -A3 serviceMonitorSelector`).
+#
+# Target selector:
+#   Matches the host-cp Service by its `app: olam-host-cp` label. Adjust if
+#   the Service label differs in the target cluster (check
+#   `kubectl get svc -n olam -l app=olam-host-cp`).
+#
+# metricRelabelings (layer-2 cardinality enforcement):
+#   Mirrors the `*cardinality-labeldrop` YAML anchor from
+#   kube-prom-stack-values.yaml. host-cp's /metrics is taxonomy-compliant
+#   (only {service,route,method,status_code} labels), but the labeldrop rule
+#   is present as defense-in-depth: if a future code change accidentally
+#   emits a banned label (world_id etc.), this ServiceMonitor drops it before
+#   ingest so the cardinality cap is never breached.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-c-tasks.md — Task C3
+#       T1 (cardinality bomb) + P4 (<100k active series)
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: olam-host-cp
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: olam-host-cp-monitor
+    app.kubernetes.io/managed-by: olam
+    # REQUIRED: matches Prometheus CR's serviceMonitorSelector.
+    release: olam-prom
+spec:
+  # Discover the host-cp Service in the olam namespace.
+  namespaceSelector:
+    matchNames:
+      - olam
+  selector:
+    matchLabels:
+      app: olam-host-cp
+  endpoints:
+    - port: http
+      path: /metrics
+      interval: 15s
+      # Preserve the application-emitted `service` label. Without honorLabels,
+      # Prometheus's target-label injection (where `service` = the k8s Service
+      # name `olam-host-cp`) overrides the application's own `service=host-cp`
+      # value, moving the app's value into `exported_service`. The C5 drill-in
+      # dashboards filter on `service=host-cp`, so without honorLabels their
+      # panels show empty data. Surfaced during 2026-05-21 operator dogfood —
+      # see docs/incidents/2026-05-21-phase-c-dogfood.md, finding #3.
+      honorLabels: true
+      # Layer-2 cardinality enforcement — same regex as *cardinality-labeldrop
+      # in kube-prom-stack-values.yaml. Defense-in-depth: drops banned labels
+      # even if the service accidentally emits them.
+      metricRelabelings:
+        - action: labeldrop
+          regex: 'world_id|trace_id|user_id|request_id|operator_id'

package/host-cp/peripheral-services/manifests/92-servicemonitor-kg-service.yaml

@@ -0,0 +1,70 @@
+# 92-servicemonitor-kg-service.yaml — Phase C Task C3 ServiceMonitor for kg-service.
+#
+# Registers kg-service's /metrics endpoint with Prometheus for scraping.
+#
+# NOTE: This manifest requires the ServiceMonitor CRD installed by
+# kube-prometheus-stack (Phase C Task C1). It is SKIPPED by
+# apply-manifests.sh (which targets the Phase A ingress harness) and is
+# applied by the phase-c-e2e harness after kube-prom-stack ships CRDs.
+#
+# Namespace placement (CRITICAL — C2 dogfood lesson):
+#   ServiceMonitors MUST live in the `monitoring` namespace to be discovered
+#   by the Prometheus CR's serviceMonitorNamespaceSelector. A ServiceMonitor
+#   in any other namespace is silently ignored by default RBAC.
+#
+# Label compliance:
+#   `release: olam-prom` matches the Prometheus CR's serviceMonitorSelector
+#   (verified via `helm template ... | grep -A3 serviceMonitorSelector`).
+#
+# Target selector:
+#   Matches the kg-service Service by its `app: olam-kg-service` label. Adjust
+#   if the Service label differs in the target cluster (check
+#   `kubectl get svc -n olam -l app=olam-kg-service`).
+#
+# metricRelabelings (layer-2 cardinality enforcement):
+#   Mirrors the `*cardinality-labeldrop` YAML anchor from
+#   kube-prom-stack-values.yaml. kg-service's /metrics is taxonomy-compliant
+#   (only {service,route,method,status_code} labels), but the labeldrop rule
+#   is present as defense-in-depth: if a future code change accidentally
+#   emits a banned label (world_id etc.), this ServiceMonitor drops it before
+#   ingest so the cardinality cap is never breached.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-c-tasks.md — Task C3
+#       T1 (cardinality bomb) + P4 (<100k active series)
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: olam-kg-service
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: olam-kg-service-monitor
+    app.kubernetes.io/managed-by: olam
+    # REQUIRED: matches Prometheus CR's serviceMonitorSelector.
+    release: olam-prom
+spec:
+  # Discover the kg-service Service in the olam namespace.
+  namespaceSelector:
+    matchNames:
+      - olam
+  selector:
+    matchLabels:
+      app: olam-kg-service
+  endpoints:
+    - port: http
+      path: /metrics
+      interval: 15s
+      # Preserve the application-emitted `service` label. Without honorLabels,
+      # Prometheus's target-label injection (where `service` = the k8s Service
+      # name `olam-kg-service`) overrides the application's own `service=kg-service`
+      # value, moving the app's value into `exported_service`. The C5 drill-in
+      # dashboards filter on `service=kg-service`, so without honorLabels their
+      # panels show empty data. Surfaced during 2026-05-21 operator dogfood —
+      # see docs/incidents/2026-05-21-phase-c-dogfood.md, finding #3.
+      honorLabels: true
+      # Layer-2 cardinality enforcement — same regex as *cardinality-labeldrop
+      # in kube-prom-stack-values.yaml. Defense-in-depth: drops banned labels
+      # even if the service accidentally emits them.
+      metricRelabelings:
+        - action: labeldrop
+          regex: 'world_id|trace_id|user_id|request_id|operator_id'

package/host-cp/peripheral-services/manifests/93-servicemonitor-memory-service.yaml

@@ -0,0 +1,87 @@
+# 93-servicemonitor-memory-service.yaml — Phase C Task C3 closure ServiceMonitor.
+#
+# Registers memory-service's /metrics endpoint with Prometheus for scraping.
+# C3 originally shipped instrumentation for host-cp + kg-service (PR #787) but
+# DEFERRED memory-service because the third-party `agentmemory` Node CLI that
+# runs in k3s exposes no /metrics endpoint. This PR closes that deferral by
+# shipping a small Node HTTP front-door (packages/memory-service/src/metrics-proxy.mjs)
+# inside the container image: external traffic hits the proxy on :3111, the
+# proxy short-circuits /metrics + forwards everything else to agentmemory on
+# loopback :3110. End-state matches the host-cp/kg-service shape so the ServiceMonitor
+# pattern below is a near-clone of 91-servicemonitor-host-cp.yaml.
+#
+# NOTE: This manifest requires the ServiceMonitor CRD installed by
+# kube-prometheus-stack (Phase C Task C1). It is SKIPPED by
+# apply-manifests.sh (which targets the Phase A ingress harness) and is
+# applied by the phase-c-e2e harness after kube-prom-stack ships CRDs.
+#
+# Namespace placement (CRITICAL — C2 dogfood lesson):
+#   ServiceMonitors MUST live in the `monitoring` namespace to be discovered
+#   by the Prometheus CR's serviceMonitorNamespaceSelector. A ServiceMonitor
+#   in any other namespace is silently ignored by default RBAC.
+#
+# Label compliance:
+#   `release: olam-prom` matches the Prometheus CR's serviceMonitorSelector.
+#
+# Target selector:
+#   Matches the memory-service Service by its `app: olam-memory-service` label.
+#   The Service is defined in packages/host-cp/k8s/manifests/memory-service/60-service.yaml
+#   (port `http` -> targetPort 3111). The 50-traefik-ingressroute-agent-memory.yaml
+#   IngressRoute references the same Service for /api/agent-memory/* traffic.
+#
+# Image rollout dependency:
+#   The proxy lives inside the container image. Until the next release pipeline
+#   refreshes ghcr.io/pleri/olam-memory-service with the post-C3-closure
+#   Dockerfile (npm run refresh:manifest-digests), this ServiceMonitor will scrape
+#   a target that responds 404 to /metrics. Prometheus tolerates that (the target
+#   stays UP, scrape_samples_scraped=0). When the new image lands, scraping
+#   begins producing real samples without any cluster-side change.
+#
+# metricRelabelings (layer-2 cardinality enforcement):
+#   Mirrors the `*cardinality-labeldrop` YAML anchor from
+#   kube-prom-stack-values.yaml. memory-service's /metrics is taxonomy-compliant
+#   (only {service,route,method,status_code} labels), but the labeldrop rule
+#   is present as defense-in-depth: if a future code change accidentally
+#   emits a banned label (world_id etc.), this ServiceMonitor drops it before
+#   ingest so the cardinality cap is never breached.
+#
+# Refs: docs/plans/k3s-ingress-observability/phase-c-tasks.md — Task C3
+#       T1 (cardinality bomb) + P4 (<100k active series).
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: olam-memory-service
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: olam-memory-service-monitor
+    app.kubernetes.io/managed-by: olam
+    # REQUIRED: matches Prometheus CR's serviceMonitorSelector.
+    release: olam-prom
+spec:
+  # Discover the memory-service Service in the olam namespace.
+  namespaceSelector:
+    matchNames:
+      - olam
+  selector:
+    matchLabels:
+      app: olam-memory-service
+  endpoints:
+    - port: http
+      path: /metrics
+      interval: 15s
+      # Preserve the application-emitted `service` label. Without honorLabels,
+      # Prometheus's target-label injection (where `service` = the k8s Service
+      # name `olam-memory-service`) overrides the application's own
+      # `service=memory-service` value, moving the app's value into
+      # `exported_service`. The C5 drill-in dashboards filter on
+      # `service=memory-service`, so without honorLabels their panels show
+      # empty data. Same lesson as the host-cp/kg-service ServiceMonitors —
+      # see docs/incidents/2026-05-21-phase-c-dogfood.md finding #3.
+      honorLabels: true
+      # Layer-2 cardinality enforcement — same regex as *cardinality-labeldrop
+      # in kube-prom-stack-values.yaml. Defense-in-depth: drops banned labels
+      # even if the service accidentally emits them.
+      metricRelabelings:
+        - action: labeldrop
+          regex: 'world_id|trace_id|user_id|request_id|operator_id'

package/host-cp/peripheral-services/manifests/95-prom-recording-rules.yaml

@@ -0,0 +1,108 @@
+# 95-prom-recording-rules.yaml — Phase C Task C4
+#
+# Naming convention: olam:<metric>:<aggregation>
+#
+#   olam          — project namespace prefix (all project recording rules share this)
+#   <metric>      — the base Prometheus metric being aggregated (without _bucket/_total suffix
+#                   when the aggregation already implies the source type)
+#   <aggregation> — describes what was computed + the grouping dimensions, e.g.
+#                   p95_by_service_route, rate5m_by_service, ratio_by_service_route
+#
+# Modeled on the community convention from
+# https://prometheus.io/docs/practices/rules/#naming — <level>:<metric>:<ops>.
+# The <aggregation> suffix encodes BOTH the operation (p95, rate5m, ratio) and
+# the grouping dimensions (_by_service, _by_service_route) so dashboard panels
+# can select the pre-computed series without further aggregation.
+#
+# Source metrics (provided by C3 — host-cp + kg-service ServiceMonitors):
+#   http_request_duration_seconds_bucket{service, route, method, status_code, le}
+#   http_requests_total{service, route, method, status_code}
+#
+# rule group interval: 30s — half the scrape interval (15s × 2). Balances
+# freshness vs evaluation CPU; at 30s each window is re-evaluated twice per
+# minute, keeping percentiles and rates responsive without hammering the TSDB.
+#
+# NOTE: recording rules intentionally reference NO banned labels
+# (world_id, trace_id, user_id, request_id, operator_id). C2's labeldrop at
+# scrape time strips them before ingest; even if a metric slipped through,
+# referencing them here would suppress results. Defense-in-depth: don't type
+# them at all.
+#
+# Applied by: scripts/e2e/prom-no-double-grafana.sh (C4 assertion block)
+# Skipped by: scripts/test-ingress-integration/apply-manifests.sh
+#             (9[0-9]-prom-* glob) — requires kube-prom-stack CRDs to be present.
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: olam-recording-rules
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: olam-prometheus-rules
+    app.kubernetes.io/managed-by: olam
+    release: olam-prom   # must match kube-prom-stack ruleSelector (verified C2)
+spec:
+  groups:
+    - name: olam-http-aggregations
+      interval: 30s
+      rules:
+        # ============================================================
+        # Latency percentiles per service+route — Phase C Task C4
+        # Source: http_request_duration_seconds_bucket (C3)
+        # ============================================================
+        - record: olam:http_request_duration_seconds:p50_by_service_route
+          expr: |
+            histogram_quantile(0.50, sum by (service, route, le) (
+              rate(http_request_duration_seconds_bucket[5m])
+            ))
+
+        - record: olam:http_request_duration_seconds:p95_by_service_route
+          expr: |
+            histogram_quantile(0.95, sum by (service, route, le) (
+              rate(http_request_duration_seconds_bucket[5m])
+            ))
+
+        - record: olam:http_request_duration_seconds:p99_by_service_route
+          expr: |
+            histogram_quantile(0.99, sum by (service, route, le) (
+              rate(http_request_duration_seconds_bucket[5m])
+            ))
+
+        # Aggregate p95 across all routes (per-service summary)
+        - record: olam:http_request_duration_seconds:p95_by_service
+          expr: |
+            histogram_quantile(0.95, sum by (service, le) (
+              rate(http_request_duration_seconds_bucket[5m])
+            ))
+
+        # ============================================================
+        # Request rate per service+route
+        # Source: http_requests_total (C3)
+        # ============================================================
+        - record: olam:http_requests:rate5m_by_service_route
+          expr: |
+            sum by (service, route) (rate(http_requests_total[5m]))
+
+        # Aggregate request rate per service
+        - record: olam:http_requests:rate5m_by_service
+          expr: |
+            sum by (service) (rate(http_requests_total[5m]))
+
+        # ============================================================
+        # Error rate (status_code >= 500) per service+route
+        # 4xx are client errors and are intentionally excluded from
+        # the error ratio — only server-side failures count.
+        # ============================================================
+        - record: olam:http_errors:rate5m_by_service_route
+          expr: |
+            sum by (service, route) (
+              rate(http_requests_total{status_code=~"5.."}[5m])
+            )
+
+        # Error ratio (errors / total) per service+route.
+        # Returns NaN when total rate is 0 (no traffic) — dashboards
+        # should handle NaN as "no data" rather than "0% error rate".
+        - record: olam:http_errors:ratio_by_service_route
+          expr: |
+            sum by (service, route) (rate(http_requests_total{status_code=~"5.."}[5m]))
+            /
+            sum by (service, route) (rate(http_requests_total[5m]))

package/host-cp/peripheral-services/manifests/96-kyverno-cardinality-mutate.yaml

@@ -0,0 +1,195 @@
+# 96-kyverno-cardinality-mutate.yaml — Phase C C8 follow-up.
+#
+# Closes codex's C2 concern: per-ServiceMonitor metricRelabelings is
+# "policy by convention". A third-party ServiceMonitor or PodMonitor that
+# olam doesn't author can bypass the labeldrop and reintroduce the
+# cardinality bomb (T1). YAML anchors in kube-prom-stack-values.yaml keep
+# Olam-owned manifests DRY but don't make the cluster safe.
+#
+# This ClusterPolicy mutates EVERY incoming ServiceMonitor and PodMonitor
+# at admission time — regardless of who created it (chart, kubectl, operator,
+# CI, GitOps) — to ensure the cardinality labeldrop rule is present on
+# every endpoint. Once persisted, the prometheus-operator renders the
+# relabel into Prometheus's scrape config.
+#
+# Why mutate-only (not validate):
+#   Validate would block a chart install or operator action mid-stride
+#   if a third-party ServiceMonitor lacks the rule. Mutate is the better
+#   posture: silently ensure the rule is present without breaking
+#   legitimate installs. Defense-in-depth still lives in TWO layers:
+#     (a) admission-time mutation (this policy)
+#     (b) per-ServiceMonitor metricRelabelings in
+#         kube-prom-stack-values.yaml + 9x-servicemonitor-*.yaml.
+#
+# Idempotency contract:
+#   Mutation must NOT add a duplicate labeldrop entry. Achieved by
+#   two-rule split per kind, each with a precondition that the labeldrop
+#   is currently ABSENT. Once present, neither rule fires:
+#     - Rule A (handle absent/empty case): preconditions:
+#         metricRelabelings is null/missing OR empty array.
+#         JSON patch: `add /spec/endpoints/{i}/metricRelabelings` with
+#         a single-element array containing our rule.
+#     - Rule B (handle existing-but-no-labeldrop case): preconditions:
+#         metricRelabelings is a non-empty array AND no entry has
+#         `action: labeldrop` with `regex` mentioning `world_id`.
+#         JSON patch: `add /spec/endpoints/{i}/metricRelabelings/-`
+#         appending our rule.
+#
+#   Verified behavior (kyverno-cardinality-mutate.sh asserts):
+#     - Bare ServiceMonitor (no metricRelabelings)              → Rule A injects
+#     - ServiceMonitor with metricRelabelings: []               → Rule A injects (replaces empty)
+#     - ServiceMonitor with unrelated metricRelabelings entries → Rule B appends
+#     - ServiceMonitor with matching labeldrop already present  → NEITHER rule fires (idempotent)
+#     - Mixed: some endpoints lack it, others have it           → only the lacking endpoints are mutated
+#
+# Background scan: OFF (background: false). Existing ServiceMonitors at
+# install time are NOT auto-mutated. Re-apply them to trigger admission,
+# or rely on the C2 per-ServiceMonitor metricRelabelings as the failsafe.
+#
+# failurePolicy: Ignore. Kyverno webhook timeout / pod outage MUST NOT
+# block ServiceMonitor admission — the C2 layer-2 rules still protect
+# Olam-owned monitors. Trade-off accepted: during Kyverno downtime, a
+# brand-new third-party ServiceMonitor could land without the labeldrop.
+# The 80k active-series PrometheusRule alert (Phase C C2,
+# 90-prom-alert-cardinality.yaml) is the runtime detector that fires
+# if this gap is exploited.
+#
+# Refs:
+#   - docs/plans/k3s-ingress-observability/phase-c-tasks.md — C8
+#   - codex review on PR #783 ("policy by convention" finding)
+#   - https://kyverno.io/docs/writing-policies/mutate/
+#   - https://kyverno.io/docs/writing-policies/mutate/#foreach
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-cardinality-labeldrop
+  labels:
+    app.kubernetes.io/part-of: olam
+    olam.io/phase: c-followup
+  annotations:
+    policies.kyverno.io/title: "Cluster-wide cardinality labeldrop enforcement"
+    policies.kyverno.io/category: "Observability"
+    policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: "ServiceMonitor, PodMonitor"
+    policies.kyverno.io/description: >-
+      Ensures every ServiceMonitor and PodMonitor carries a metricRelabelings
+      labeldrop rule for high-cardinality labels (world_id, trace_id, user_id,
+      request_id, operator_id) on every endpoint. Closes the "third-party chart
+      bypasses C2 labeldrop" gap surfaced during PR #783 review.
+spec:
+  background: false
+  failurePolicy: Ignore
+  mutateExistingOnPolicyUpdate: false
+
+  rules:
+    # ---------------------------------------------------------------------
+    # ServiceMonitor — Rule A: metricRelabelings absent or empty
+    # ---------------------------------------------------------------------
+    - name: inject-labeldrop-sm-absent
+      match:
+        any:
+          - resources:
+              kinds:
+                - monitoring.coreos.com/v1/ServiceMonitor
+      mutate:
+        foreach:
+          - list: "request.object.spec.endpoints"
+            preconditions:
+              all:
+                # length() of null/missing returns 0; length([]) is 0. So
+                # this fires when the field is absent OR an empty array.
+                - key: "{{ length(not_null(element.metricRelabelings, `[]`)) }}"
+                  operator: Equals
+                  value: 0
+            patchesJson6902: |-
+              - op: add
+                path: "/spec/endpoints/{{ elementIndex }}/metricRelabelings"
+                value:
+                  - action: labeldrop
+                    regex: "world_id|trace_id|user_id|request_id|operator_id"
+
+    # ---------------------------------------------------------------------
+    # ServiceMonitor — Rule B: metricRelabelings has entries, but no
+    # matching labeldrop for our banned-label regex.
+    #
+    # We test `contains(regex, 'world_id')` rather than equality so that
+    # operators who include additional banned labels in their own regex
+    # don't trigger duplicate injection. This is the idempotency hinge.
+    # ---------------------------------------------------------------------
+    - name: inject-labeldrop-sm-append
+      match:
+        any:
+          - resources:
+              kinds:
+                - monitoring.coreos.com/v1/ServiceMonitor
+      mutate:
+        foreach:
+          - list: "request.object.spec.endpoints"
+            preconditions:
+              all:
+                - key: "{{ length(not_null(element.metricRelabelings, `[]`)) }}"
+                  operator: GreaterThan
+                  value: 0
+                - key: >-
+                    {{ length(element.metricRelabelings[?action == 'labeldrop' && contains(not_null(regex, ''), 'world_id')]) }}
+                  operator: Equals
+                  value: 0
+            patchesJson6902: |-
+              - op: add
+                path: "/spec/endpoints/{{ elementIndex }}/metricRelabelings/-"
+                value:
+                  action: labeldrop
+                  regex: "world_id|trace_id|user_id|request_id|operator_id"
+
+    # ---------------------------------------------------------------------
+    # PodMonitor — Rule A: podMetricsEndpoints[*].metricRelabelings absent
+    # ---------------------------------------------------------------------
+    - name: inject-labeldrop-pm-absent
+      match:
+        any:
+          - resources:
+              kinds:
+                - monitoring.coreos.com/v1/PodMonitor
+      mutate:
+        foreach:
+          - list: "request.object.spec.podMetricsEndpoints"
+            preconditions:
+              all:
+                - key: "{{ length(not_null(element.metricRelabelings, `[]`)) }}"
+                  operator: Equals
+                  value: 0
+            patchesJson6902: |-
+              - op: add
+                path: "/spec/podMetricsEndpoints/{{ elementIndex }}/metricRelabelings"
+                value:
+                  - action: labeldrop
+                    regex: "world_id|trace_id|user_id|request_id|operator_id"
+
+    # ---------------------------------------------------------------------
+    # PodMonitor — Rule B: metricRelabelings exists, no labeldrop
+    # ---------------------------------------------------------------------
+    - name: inject-labeldrop-pm-append
+      match:
+        any:
+          - resources:
+              kinds:
+                - monitoring.coreos.com/v1/PodMonitor
+      mutate:
+        foreach:
+          - list: "request.object.spec.podMetricsEndpoints"
+            preconditions:
+              all:
+                - key: "{{ length(not_null(element.metricRelabelings, `[]`)) }}"
+                  operator: GreaterThan
+                  value: 0
+                - key: >-
+                    {{ length(element.metricRelabelings[?action == 'labeldrop' && contains(not_null(regex, ''), 'world_id')]) }}
+                  operator: Equals
+                  value: 0
+            patchesJson6902: |-
+              - op: add
+                path: "/spec/podMetricsEndpoints/{{ elementIndex }}/metricRelabelings/-"
+                value:
+                  action: labeldrop
+                  regex: "world_id|trace_id|user_id|request_id|operator_id"