Enforcement-on-live-production-pipelines is a red flag — default to observability
Red-flag pattern: building blocking guardrails on live production pipelines
Discovered: 2026-04-23, Cost Observer pivot session.
The pattern: a scope asks for a guardrail that intercepts calls to a LIVE PRODUCTION pipeline (data sync, billing, auth, payment) and gates them on a threshold. Challenge the premise before executing.
Why it’s wrong:
- Gating has a real failure mode (false-positive blocks a legitimate op → operator can’t proceed → incident)
- The reciprocal benefit is zero beyond what visibility already provides — if you can calculate the threshold, the operator can see the same signal and make the same decision
- Production pipelines = ongoing obligations. They don’t stop for threshold guesses.
Correct default for cost/volume/anomaly visibility on running pipelines: pull-based observability
- Grafana dashboards / ad-hoc queries
- Audit tables that accumulate trend data
- Severity labels on observations (routine/elevated/critical) for human scanning, NOT for automated gating
- If push is ever genuinely needed: reuse existing notification infra, don’t build new
When gating IS appropriate: one-time destructive operations (DROP TABLE, DELETE FROM without WHERE, mass-delete APIs) that have zero legitimate use case above a threshold. Continuous pipelines do not qualify.
Mid-session pivot execution rule: when the principal corrects direction, the repurpose must be SURGICAL. Rename module, strip enforcement semantics, supersede historical docs with annotations (preserve the reasoning trail — do NOT delete), fix stale refs in one sweep, rerun tests post-rename. Zero tech debt from the old direction survives.
Scope-doc live-state verification rule: scope docs handed from other workspaces/agents MUST be validated against live system state in Phase 1.0 pre-flight BEFORE execution. Cost Observer session caught 6 drifts in the handoff scope doc: wrong database name, single- vs dual-schema reality, 4/6 target tables renamed in the dbt-transformed layer, column-name drift, a referenced column that didn’t exist. Handoff scope docs are point-in-time snapshots — always verify, never execute verbatim.
Related
Cost Observer capabilityTier 1 Directive 4 — Live state verification