[Monitoring] Key validation

[2witstudios]

Summary

Monitoring ingest can be effectively disabled by missing MONITORING_INGEST_KEY, with only a single warning from middleware.

Evidence

• Middleware disables forwarding when key is missing and logs warning once per process:
  • apps/web/src/middleware/monitoring.ts:184 (hasWarnedMissingIngestKey)
  • apps/web/src/middleware/monitoring.ts:189 to apps/web/src/middleware/monitoring.ts:197
• After first warning, forwarding is silently skipped on subsequent requests (same code path).
• Ingest endpoint itself requires key and returns 503 if missing:
  • apps/web/src/app/api/internal/monitoring/ingest/route.ts:41 to apps/web/src/app/api/internal/monitoring/ingest/route.ts:46
  • But this route is not reached when middleware short-circuits due to missing key.

Problem

A production misconfiguration can silently degrade observability after one startup/runtime warning.

Enterprise Impact

• “Observability can silently degrade by env misconfig.”

Proposed Work

1. Add explicit production guardrails for MONITORING_INGEST_KEY:
   • fail-fast startup (preferred), or
   • hard healthcheck failure + recurring alerts/metrics.
2. Add periodic/error-level logging until config is corrected (not one-time only).
3. Document expected behavior in .env.example and deployment runbook.
4. Add an explicit opt-out env flag for environments intentionally running without ingest.

Acceptance Criteria

• Production cannot run in a silently degraded monitoring state without clear health/alert signal.
• Missing-key behavior is deterministic, documented, and test-covered.
• Operators can intentionally disable ingest only via explicit config, not accidental omission.