Skip to content

Runbook — Watchtower can't scrape CMMD /metrics

Watchtower's Prometheus reports `up{job="cmmd-app-metrics"} == 0`. CMMD itself may still be healthy — this alert specifically means the metrics-export path is broken, which leaves us flying blind on cost + usage.

FieldValue
SeverityP1 (visibility loss, not customer impact)
Owner@aphaiboon
Alert sourceWatchtower — up{job="cmmd-app-metrics"} == 0 for 5m OR absent(cmmd_product_ai_cost_24h_cents) for 10m
Estimated time5–15 min
Required accessWatchtower (Coolify env), Railway (CMMD env), Prometheus UI

ntfy push: “Watchtower scrape of cmmd.ai/metrics is down”. CMMD app itself may be perfectly healthy (Watchtower → CMMD app probe tile still green); only the metrics scrape is broken.

Without /metrics, all of Watchtower’s CMMD-internal tiles go blank:

  • Today’s AI spend
  • Per-provider usage gauges
  • Database health gauge
  • HTTP request rate
  • Active users

We lose visibility into cost-burn (the P0-class signal). The app still serves customers fine.

  1. Token mismatchCMMD_METRICS_TOKEN in watchtower’s Coolify env doesn’t match PROMETHEUS_BEARER_TOKEN in CMMD’s Railway env. Probably the value drifted (rotated on one side).
  2. CMMD app down — the /metrics endpoint can’t respond because the whole app isn’t responding. In that case the cmmd-app probe tile is also red → see runbook-cmmd-app-down first.
  3. Network path broken — Cloudflare blocking the bearer-auth request, or Coolify can’t reach cmmd.ai
  4. Token unset on the watchtower sideCMMD_METRICS_TOKEN not set on Coolify; Prometheus targets page shows 401 unauthorized for the scrape.
  1. Open Watchtower → Connections → Prometheus → /targets → find cmmd-app-metrics. Check the error message.

  2. If “401 unauthorized”: token mismatch.

  3. If “context deadline exceeded”: network path.

  4. Manually curl from your machine:

    Terminal window
    # No bearer — should 401
    curl -i https://cmmd.ai/metrics
    # With current token (the working one)
    curl -i -H "Authorization: Bearer <CMMD_PROMETHEUS_BEARER_TOKEN>" https://cmmd.ai/metrics
    # Expect: 200 + prom-format text
  1. CMMD → Railway → env → reveal PROMETHEUS_BEARER_TOKEN. (Or PROMETHEUS_SCRAPE_TOKENserver/observability/prometheus.ts accepts either.)
  2. Watchtower → Coolify → env → set CMMD_METRICS_TOKEN to that value.
  3. Restart watchtower’s prometheus container: docker compose restart prometheus (or via Coolify UI).
  4. Watch the /targets page — within 30s the cmmd-app-metrics target should flip from DOWN to UP.

Same as above — set the env var fresh on Coolify side.

  1. From inside the Coolify host: curl -i https://cmmd.ai/metrics — does it reach cmmd.ai?
  2. If the same curl works from your laptop but not from Coolify → outbound block on Coolify side. Investigate networking.

Follow runbook-cmmd-app-down first. The metrics scrape will recover automatically once the app is back.

  • Watchtower → Prometheus → /targetscmmd-app-metrics shows UP
  • Query in Prometheus: cmmd_product_ai_requests_24h_total returns data
  • Watchtower home dashboard tiles populated
  • If the token CAN’T be found in either env → rotate: generate a new strong token, set in both Railway + Coolify, restart both
  • If you suspect a leaked token → rotate immediately