refactor(analytics): Remove SQLite fallback, require Supabase exclusively

backend/api/storage/analytics_store.py

@@ -10,8 +10,8 @@ Tracks:
 """
 
 import json
+import logging
 import os
-import sqlite3
 import time
 from datetime import datetime
 from pathlib import Path
@@ -25,13 +25,16 @@ except ImportError:
     Client = None  # type: ignore
     SUPABASE_AVAILABLE = False
 
+logger = logging.getLogger(__name__)
+
 
 class AnalyticsStore:
     """
-    Analytics logging with dual-backend support.
+    Analytics logging with Supabase-only backend.
 
-    - Uses Supabase when SUPABASE_URL/SUPABASE_SERVICE_KEY are configured
-    - Falls back to local SQLite (data/analytics.db) otherwise
+    - Requires SUPABASE_URL and SUPABASE_SERVICE_KEY to be configured
+    - All data is saved to Supabase (no SQLite fallback)
+    - Raises errors if Supabase is not available
     """
 
     def __init__(
@@ -40,43 +43,50 @@ class AnalyticsStore:
         use_supabase: Optional[bool] = None,
         auto_create_tables: bool = False,
     ):
-        self.use_supabase = use_supabase
+        """
+        Initialize AnalyticsStore with Supabase-only backend.
+        
+        Args:
+            db_path: Ignored (kept for backward compatibility, not used)
+            use_supabase: Ignored (always uses Supabase if available)
+            auto_create_tables: If True, attempt to create tables if missing
+            
+        Raises:
+            RuntimeError: If Supabase credentials are missing or invalid
+        """
         self._tables_verified = False
         self.supabase_client: Optional[Client] = None
-
-        if self.use_supabase is None:
-            supabase_url = os.getenv("SUPABASE_URL")
-            supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
-            self.use_supabase = bool(
-                supabase_url and supabase_key and SUPABASE_AVAILABLE
+        
+        # Require Supabase - no fallback
+        supabase_url = os.getenv("SUPABASE_URL")
+        supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+        
+        if not SUPABASE_AVAILABLE:
+            raise RuntimeError(
+                "Supabase package not installed. Install with: pip install supabase\n"
+                "AnalyticsStore requires Supabase - SQLite fallback has been removed."
             )
-
-        if self.use_supabase:
-            self._init_supabase(auto_create_tables)
-        else:
-            self._init_sqlite(db_path)
-
-    def _init_sqlite(self, db_path: Optional[str]):
-        """Initialize SQLite database path + schema."""
-        if db_path is None:
-            root_dir = Path(__file__).resolve().parents[3]
-            data_dir = root_dir / "data"
-            data_dir.mkdir(parents=True, exist_ok=True)
-            self.db_path = data_dir / "analytics.db"
-        else:
-            self.db_path = Path(db_path)
-
-        self._init_db()
+        
+        if not supabase_url or not supabase_key:
+            raise RuntimeError(
+                "Supabase credentials are required!\n"
+                "Set SUPABASE_URL and SUPABASE_SERVICE_KEY in your .env file.\n"
+                "AnalyticsStore requires Supabase - SQLite fallback has been removed."
+            )
+        
+        self.use_supabase = True  # Always True - no fallback
+        self._init_supabase(auto_create_tables)
 
     def _init_supabase(self, auto_create_tables: bool):
+        """Initialize Supabase client. Raises error if initialization fails."""
         supabase_url = os.getenv("SUPABASE_URL")
         supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
 
         if not supabase_url or not supabase_key:
-            print("⚠️  Supabase credentials missing. Falling back to SQLite for analytics.")
-            self.use_supabase = False
-            self._init_sqlite(None)
-            return
+            raise RuntimeError(
+                "Supabase credentials are required!\n"
+                "Set SUPABASE_URL and SUPABASE_SERVICE_KEY in your .env file."
+            )
 
         try:
             self.supabase_client = create_client(supabase_url, supabase_key)
@@ -91,10 +101,19 @@ class AnalyticsStore:
                 self._ensure_supabase_tables()
             else:
                 self._quick_table_check()
-        except Exception as exc:  # pragma: no cover - defensive logging
-            print(f"⚠️  Failed to initialize Supabase client for analytics: {exc}")
-            self.use_supabase = False
-            self._init_sqlite(None)
+            
+            if not self._tables_verified:
+                logger.warning(
+                    "⚠️  Supabase analytics tables not verified. "
+                    "Data inserts may fail. Run supabase_analytics_tables.sql in Supabase SQL Editor."
+                )
+        except Exception as exc:
+            logger.error(f"❌ Failed to initialize Supabase client for analytics: {exc}")
+            raise RuntimeError(
+                f"Failed to initialize Supabase client: {exc}\n"
+                "Make sure SUPABASE_URL and SUPABASE_SERVICE_KEY are correct.\n"
+                "AnalyticsStore requires Supabase - SQLite fallback has been removed."
+            ) from exc
 
     def _quick_table_check(self):
         """Verify that all expected Supabase tables exist."""
@@ -124,109 +143,6 @@ class AnalyticsStore:
             else:
                 print("   Missing supabase_analytics_tables.sql in repo root.")
 
-    def _init_db(self):
-        """Initialize database tables for analytics."""
-        with sqlite3.connect(self.db_path) as conn:
-            # Tool usage events table
-            conn.execute(
-                """
-                CREATE TABLE IF NOT EXISTS tool_usage_events (
-                    id INTEGER PRIMARY KEY AUTOINCREMENT,
-                    tenant_id TEXT NOT NULL,
-                    user_id TEXT,
-                    tool_name TEXT NOT NULL,
-                    timestamp INTEGER NOT NULL,
-                    latency_ms INTEGER,
-                    tokens_used INTEGER,
-                    success BOOLEAN DEFAULT 1,
-                    error_message TEXT,
-                    metadata TEXT
-                )
-                """
-            )
-
-            # Red-flag violations table
-            conn.execute(
-                """
-                CREATE TABLE IF NOT EXISTS redflag_violations (
-                    id INTEGER PRIMARY KEY AUTOINCREMENT,
-                    tenant_id TEXT NOT NULL,
-                    user_id TEXT,
-                    rule_id TEXT NOT NULL,
-                    rule_pattern TEXT,
-                    severity TEXT NOT NULL,
-                    matched_text TEXT,
-                    confidence REAL,
-                    message_preview TEXT,
-                    timestamp INTEGER NOT NULL
-                )
-                """
-            )
-
-            # RAG search events with quality metrics
-            conn.execute(
-                """
-                CREATE TABLE IF NOT EXISTS rag_search_events (
-                    id INTEGER PRIMARY KEY AUTOINCREMENT,
-                    tenant_id TEXT NOT NULL,
-                    query TEXT NOT NULL,
-                    hits_count INTEGER,
-                    avg_score REAL,
-                    top_score REAL,
-                    timestamp INTEGER NOT NULL,
-                    latency_ms INTEGER
-                )
-                """
-            )
-
-            # Agent query events (overall query tracking)
-            conn.execute(
-                """
-                CREATE TABLE IF NOT EXISTS agent_query_events (
-                    id INTEGER PRIMARY KEY AUTOINCREMENT,
-                    tenant_id TEXT NOT NULL,
-                    user_id TEXT,
-                    message_preview TEXT,
-                    intent TEXT,
-                    tools_used TEXT,
-                    total_tokens INTEGER,
-                    total_latency_ms INTEGER,
-                    success BOOLEAN DEFAULT 1,
-                    timestamp INTEGER NOT NULL
-                )
-                """
-            )
-
-            # Create indexes separately (SQLite doesn't support inline INDEX in CREATE TABLE)
-            conn.execute(
-                """
-                CREATE INDEX IF NOT EXISTS idx_tool_usage_tenant_timestamp 
-                ON tool_usage_events(tenant_id, timestamp)
-                """
-            )
-
-            conn.execute(
-                """
-                CREATE INDEX IF NOT EXISTS idx_redflag_tenant_timestamp 
-                ON redflag_violations(tenant_id, timestamp)
-                """
-            )
-
-            conn.execute(
-                """
-                CREATE INDEX IF NOT EXISTS idx_rag_search_tenant_timestamp 
-                ON rag_search_events(tenant_id, timestamp)
-                """
-            )
-
-            conn.execute(
-                """
-                CREATE INDEX IF NOT EXISTS idx_agent_query_tenant_timestamp 
-                ON agent_query_events(tenant_id, timestamp)
-                """
-            )
-
-            conn.commit()
 
     # ------------------------------------------------------------------
     # Logging helpers
@@ -247,12 +163,38 @@ class AnalyticsStore:
         return None
 
     def _supabase_insert(self, table: str, payload: Dict[str, Any]):
+        """Insert data into Supabase table. Raises error if insert fails."""
         if not self.supabase_client:
-            return
+            raise RuntimeError(f"Supabase client not initialized. Cannot insert into {table}.")
+        
+        # Check if tables are verified (warn if not)
+        if not self._tables_verified:
+            logger.warning(
+                f"Supabase tables not verified. Insert to {table} may fail. "
+                f"Run supabase_analytics_tables.sql in Supabase SQL Editor."
+            )
+        
         try:
-            self.supabase_client.table(table).insert(payload).execute()
-        except Exception as exc:  # pragma: no cover - logging only
-            print(f"❌ Supabase insert failed for {table}: {exc}")
+            response = self.supabase_client.table(table).insert(payload).execute()
+            logger.debug(f"Successfully inserted into {table}: {len(response.data) if response.data else 1} row(s)")
+        except Exception as exc:
+            error_msg = str(exc)
+            logger.error(
+                f"❌ Supabase insert failed for table '{table}': {error_msg}\n"
+                f"   Payload keys: {list(payload.keys())}\n"
+                f"   Tenant ID: {payload.get('tenant_id', 'N/A')}\n"
+                f"   This may indicate:\n"
+                f"   1. Table '{table}' does not exist in Supabase\n"
+                f"   2. Missing columns or schema mismatch\n"
+                f"   3. RLS (Row Level Security) policy blocking insert\n"
+                f"   4. Invalid Supabase credentials\n"
+                f"   Solution: Run supabase_analytics_tables.sql in Supabase SQL Editor"
+            )
+            # Re-raise - no SQLite fallback
+            raise RuntimeError(
+                f"Failed to insert into Supabase table '{table}': {error_msg}\n"
+                "AnalyticsStore requires Supabase - SQLite fallback has been removed."
+            ) from exc
 
     def _supabase_simple_select(
         self,
@@ -321,42 +263,22 @@ class AnalyticsStore:
         metadata: Optional[Dict[str, Any]] = None,
         user_id: Optional[str] = None
     ):
-        """Log a tool usage event."""
-        if self.use_supabase and self.supabase_client:
-            payload = {
-                "tenant_id": tenant_id,
-                "user_id": user_id,
-                "tool_name": tool_name,
-                "timestamp": self._now_ts(),
-                "latency_ms": latency_ms,
-                "tokens_used": tokens_used,
-                "success": success,
-                "error_message": error_message,
-                "metadata": metadata,
-            }
-            self._supabase_insert(self.table_names["tool_usage"], payload)
-            return
-
-        with sqlite3.connect(self.db_path) as conn:
-            conn.execute(
-                """
-                INSERT INTO tool_usage_events 
-                (tenant_id, user_id, tool_name, timestamp, latency_ms, tokens_used, success, error_message, metadata)
-                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-                """,
-                (
-                    tenant_id,
-                    user_id,
-                    tool_name,
-                    self._now_ts(),
-                    latency_ms,
-                    tokens_used,
-                    1 if success else 0,
-                    error_message,
-                    self._serialize_metadata(metadata),
-                ),
-            )
-            conn.commit()
+        """Log a tool usage event to Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot log tool usage.")
+        
+        payload = {
+            "tenant_id": tenant_id,
+            "user_id": user_id,
+            "tool_name": tool_name,
+            "timestamp": self._now_ts(),
+            "latency_ms": latency_ms,
+            "tokens_used": tokens_used,
+            "success": success,
+            "error_message": error_message,
+            "metadata": metadata,
+        }
+        self._supabase_insert(self.table_names["tool_usage"], payload)
 
     def log_redflag_violation(
         self,
@@ -369,44 +291,23 @@ class AnalyticsStore:
         message_preview: Optional[str] = None,
         user_id: Optional[str] = None
     ):
-        """Log a red-flag violation."""
+        """Log a red-flag violation to Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot log redflag violation.")
+        
         truncated_message = message_preview[:200] if message_preview else None
-
-        if self.use_supabase and self.supabase_client:
-            payload = {
-                "tenant_id": tenant_id,
-                "user_id": user_id,
-                "rule_id": rule_id,
-                "rule_pattern": rule_pattern,
-                "severity": severity,
-                "matched_text": matched_text,
-                "confidence": confidence,
-                "message_preview": truncated_message,
-                "timestamp": self._now_ts(),
-            }
-            self._supabase_insert(self.table_names["redflags"], payload)
-            return
-
-        with sqlite3.connect(self.db_path) as conn:
-            conn.execute(
-                """
-                INSERT INTO redflag_violations
-                (tenant_id, user_id, rule_id, rule_pattern, severity, matched_text, confidence, message_preview, timestamp)
-                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-                """,
-                (
-                    tenant_id,
-                    user_id,
-                    rule_id,
-                    rule_pattern,
-                    severity,
-                    matched_text,
-                    confidence,
-                    truncated_message,
-                    self._now_ts(),
-                ),
-            )
-            conn.commit()
+        payload = {
+            "tenant_id": tenant_id,
+            "user_id": user_id,
+            "rule_id": rule_id,
+            "rule_pattern": rule_pattern,
+            "severity": severity,
+            "matched_text": matched_text,
+            "confidence": confidence,
+            "message_preview": truncated_message,
+            "timestamp": self._now_ts(),
+        }
+        self._supabase_insert(self.table_names["redflags"], payload)
 
     def log_rag_search(
         self,
@@ -417,39 +318,21 @@ class AnalyticsStore:
         top_score: Optional[float] = None,
         latency_ms: Optional[int] = None
     ):
-        """Log a RAG search event with quality metrics."""
+        """Log a RAG search event with quality metrics to Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot log RAG search.")
+        
         trimmed_query = query[:500]
-        if self.use_supabase and self.supabase_client:
-            payload = {
-                "tenant_id": tenant_id,
-                "query": trimmed_query,
-                "hits_count": hits_count,
-                "avg_score": avg_score,
-                "top_score": top_score,
-                "timestamp": self._now_ts(),
-                "latency_ms": latency_ms,
-            }
-            self._supabase_insert(self.table_names["rag_search"], payload)
-            return
-
-        with sqlite3.connect(self.db_path) as conn:
-            conn.execute(
-                """
-                INSERT INTO rag_search_events
-                (tenant_id, query, hits_count, avg_score, top_score, timestamp, latency_ms)
-                VALUES (?, ?, ?, ?, ?, ?, ?)
-                """,
-                (
-                    tenant_id,
-                    trimmed_query,
-                    hits_count,
-                    avg_score,
-                    top_score,
-                    self._now_ts(),
-                    latency_ms,
-                ),
-            )
-            conn.commit()
+        payload = {
+            "tenant_id": tenant_id,
+            "query": trimmed_query,
+            "hits_count": hits_count,
+            "avg_score": avg_score,
+            "top_score": top_score,
+            "timestamp": self._now_ts(),
+            "latency_ms": latency_ms,
+        }
+        self._supabase_insert(self.table_names["rag_search"], payload)
 
     def log_agent_query(
         self,
@@ -462,94 +345,37 @@ class AnalyticsStore:
         success: bool = True,
         user_id: Optional[str] = None
     ):
-        """Log an agent query event (overall query tracking)."""
+        """Log an agent query event (overall query tracking) to Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot log agent query.")
+        
         truncated_message = message_preview[:200]
-        serialized_tools = self._serialize_tools(tools_used)
-
-        if self.use_supabase and self.supabase_client:
-            payload = {
-                "tenant_id": tenant_id,
-                "user_id": user_id,
-                "message_preview": truncated_message,
-                "intent": intent,
-                "tools_used": tools_used,
-                "total_tokens": total_tokens,
-                "total_latency_ms": total_latency_ms,
-                "success": success,
-                "timestamp": self._now_ts(),
-            }
-            self._supabase_insert(self.table_names["agent_query"], payload)
-            return
-
-        with sqlite3.connect(self.db_path) as conn:
-            conn.execute(
-                """
-                INSERT INTO agent_query_events
-                (tenant_id, user_id, message_preview, intent, tools_used, total_tokens, total_latency_ms, success, timestamp)
-                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-                """,
-                (
-                    tenant_id,
-                    user_id,
-                    truncated_message,
-                    intent,
-                    serialized_tools,
-                    total_tokens,
-                    total_latency_ms,
-                    1 if success else 0,
-                    self._now_ts(),
-                ),
-            )
-            conn.commit()
+        payload = {
+            "tenant_id": tenant_id,
+            "user_id": user_id,
+            "message_preview": truncated_message,
+            "intent": intent,
+            "tools_used": tools_used,
+            "total_tokens": total_tokens,
+            "total_latency_ms": total_latency_ms,
+            "success": success,
+            "timestamp": self._now_ts(),
+        }
+        self._supabase_insert(self.table_names["agent_query"], payload)
 
     def get_tool_usage_stats(
         self,
         tenant_id: str,
         since_timestamp: Optional[int] = None
     ) -> Dict[str, Any]:
-        """Get tool usage statistics for a tenant."""
-        if self.use_supabase and self.supabase_client:
-            rows = self._supabase_fetch_all(
-                self.table_names["tool_usage"], tenant_id, since_timestamp
-            )
-        else:
-            with sqlite3.connect(self.db_path) as conn:
-                conn.row_factory = sqlite3.Row
-
-                query = """
-                    SELECT 
-                        tool_name,
-                        COUNT(*) as count,
-                        AVG(latency_ms) as avg_latency_ms,
-                        SUM(tokens_used) as total_tokens,
-                        SUM(CASE WHEN success = 1 THEN 1 ELSE 0 END) as success_count
-                    FROM tool_usage_events
-                    WHERE tenant_id = ?
-                """
-                params = [tenant_id]
-
-                if since_timestamp:
-                    query += " AND timestamp >= ?"
-                    params.append(since_timestamp)
-
-                query += " GROUP BY tool_name"
-
-                cursor = conn.execute(query, params)
-                rows = cursor.fetchall()
-
-                stats = {}
-                for row in rows:
-                    tool_name = row["tool_name"]
-                    stats[tool_name] = {
-                        "count": row["count"],
-                        "avg_latency_ms": round(row["avg_latency_ms"] or 0, 2),
-                        "total_tokens": row["total_tokens"] or 0,
-                        "success_count": row["success_count"],
-                        "error_count": row["count"] - row["success_count"],
-                    }
-
-                return stats
-
+        """Get tool usage statistics for a tenant from Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot get tool usage stats.")
+        
+        rows = self._supabase_fetch_all(
+            self.table_names["tool_usage"], tenant_id, since_timestamp
+        )
+        
         # Supabase aggregation (computed in Python)
         stats: Dict[str, Dict[str, Any]] = {}
         for row in rows:
@@ -587,177 +413,81 @@ class AnalyticsStore:
         limit: int = 50,
         since_timestamp: Optional[int] = None
     ) -> List[Dict[str, Any]]:
-        """Get recent red-flag violations for a tenant."""
-        if self.use_supabase and self.supabase_client:
-            rows = self._supabase_simple_select(
-                self.table_names["redflags"],
-                tenant_id,
-                since_timestamp=since_timestamp,
-                limit=limit,
-                order_desc=True,
-            )
-            return rows
-
-        with sqlite3.connect(self.db_path) as conn:
-            conn.row_factory = sqlite3.Row
-
-            query = """
-                SELECT * FROM redflag_violations
-                WHERE tenant_id = ?
-            """
-            params = [tenant_id]
-
-            if since_timestamp:
-                query += " AND timestamp >= ?"
-                params.append(since_timestamp)
-
-            query += " ORDER BY timestamp DESC LIMIT ?"
-            params.append(limit)
-
-            cursor = conn.execute(query, params)
-            rows = cursor.fetchall()
-
-            return [dict(row) for row in rows]
+        """Get recent red-flag violations for a tenant from Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot get redflag violations.")
+        
+        return self._supabase_simple_select(
+            self.table_names["redflags"],
+            tenant_id,
+            since_timestamp=since_timestamp,
+            limit=limit,
+            order_desc=True,
+        )
 
     def get_activity_summary(
         self,
         tenant_id: str,
         since_timestamp: Optional[int] = None
     ) -> Dict[str, Any]:
-        """Get activity summary for a tenant."""
-        if self.use_supabase and self.supabase_client:
-            queries = self._supabase_fetch_all(
-                self.table_names["agent_query"], tenant_id, since_timestamp
-            )
-            redflags = self._supabase_fetch_all(
-                self.table_names["redflags"], tenant_id, since_timestamp
-            )
-
-            total_queries = len(queries)
-            active_users = len({row["user_id"] for row in queries if row.get("user_id")})
-            last_query_ts = max((row.get("timestamp") or 0) for row in queries) if queries else None
-            redflag_count = len(redflags)
+        """Get activity summary for a tenant from Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot get activity summary.")
+        
+        queries = self._supabase_fetch_all(
+            self.table_names["agent_query"], tenant_id, since_timestamp
+        )
+        redflags = self._supabase_fetch_all(
+            self.table_names["redflags"], tenant_id, since_timestamp
+        )
 
-            return {
-                "total_queries": total_queries,
-                "active_users": active_users,
-                "redflag_count": redflag_count,
-                "last_query": datetime.fromtimestamp(last_query_ts).isoformat()
-                if last_query_ts
-                else None,
-            }
+        total_queries = len(queries)
+        active_users = len({row["user_id"] for row in queries if row.get("user_id")})
+        last_query_ts = max((row.get("timestamp") or 0) for row in queries) if queries else None
+        redflag_count = len(redflags)
 
-        with sqlite3.connect(self.db_path) as conn:
-            conn.row_factory = sqlite3.Row
-
-            # Total queries
-            query = "SELECT COUNT(*) as total FROM agent_query_events WHERE tenant_id = ?"
-            params = [tenant_id]
-            if since_timestamp:
-                query += " AND timestamp >= ?"
-                params.append(since_timestamp)
-
-            total_queries = conn.execute(query, params).fetchone()["total"]
-
-            # Active users (unique user_ids in the period)
-            query = """
-                SELECT COUNT(DISTINCT user_id) as active_users
-                FROM agent_query_events
-                WHERE tenant_id = ? AND user_id IS NOT NULL
-            """
-            params = [tenant_id]
-            if since_timestamp:
-                query += " AND timestamp >= ?"
-                params.append(since_timestamp)
-
-            active_users = conn.execute(query, params).fetchone()["active_users"]
-
-            # Last query timestamp
-            query = """
-                SELECT MAX(timestamp) as last_query
-                FROM agent_query_events
-                WHERE tenant_id = ?
-            """
-            last_query_ts = conn.execute(query, [tenant_id]).fetchone()["last_query"]
-
-            # Red-flag count
-            query = "SELECT COUNT(*) as count FROM redflag_violations WHERE tenant_id = ?"
-            params = [tenant_id]
-            if since_timestamp:
-                query += " AND timestamp >= ?"
-                params.append(since_timestamp)
-
-            redflag_count = conn.execute(query, params).fetchone()["count"]
-
-            return {
-                "total_queries": total_queries,
-                "active_users": active_users or 0,
-                "redflag_count": redflag_count,
-                "last_query": datetime.fromtimestamp(last_query_ts).isoformat()
-                if last_query_ts
-                else None,
-            }
+        return {
+            "total_queries": total_queries,
+            "active_users": active_users,
+            "redflag_count": redflag_count,
+            "last_query": datetime.fromtimestamp(last_query_ts).isoformat()
+            if last_query_ts
+            else None,
+        }
 
     def get_rag_quality_metrics(
         self,
         tenant_id: str,
         since_timestamp: Optional[int] = None
     ) -> Dict[str, Any]:
-        """Get RAG quality metrics (recall/precision indicators)."""
-        if self.use_supabase and self.supabase_client:
-            rows = self._supabase_fetch_all(
-                self.table_names["rag_search"], tenant_id, since_timestamp
-            )
-
-            if not rows:
-                return {
-                    "total_searches": 0,
-                    "avg_hits_per_search": 0,
-                    "avg_score": 0,
-                    "avg_top_score": 0,
-                    "avg_latency_ms": 0,
-                }
-
-            total_searches = len(rows)
-            avg_hits = sum(row.get("hits_count") or 0 for row in rows) / total_searches
-            avg_avg_score = sum(row.get("avg_score") or 0 for row in rows) / total_searches
-            avg_top_score = sum(row.get("top_score") or 0 for row in rows) / total_searches
-            avg_latency = sum(row.get("latency_ms") or 0 for row in rows) / total_searches
+        """Get RAG quality metrics (recall/precision indicators) from Supabase."""
+        if not self.supabase_client:
+            raise RuntimeError("Supabase client not initialized. Cannot get RAG quality metrics.")
+        
+        rows = self._supabase_fetch_all(
+            self.table_names["rag_search"], tenant_id, since_timestamp
+        )
 
+        if not rows:
             return {
-                "total_searches": total_searches,
-                "avg_hits_per_search": round(avg_hits, 2),
-                "avg_score": round(avg_avg_score, 3),
-                "avg_top_score": round(avg_top_score, 3),
-                "avg_latency_ms": round(avg_latency, 2),
+                "total_searches": 0,
+                "avg_hits_per_search": 0,
+                "avg_score": 0,
+                "avg_top_score": 0,
+                "avg_latency_ms": 0,
             }
 
-        with sqlite3.connect(self.db_path) as conn:
-            conn.row_factory = sqlite3.Row
-
-            query = """
-                SELECT 
-                    COUNT(*) as total_searches,
-                    AVG(hits_count) as avg_hits,
-                    AVG(avg_score) as avg_avg_score,
-                    AVG(top_score) as avg_top_score,
-                    AVG(latency_ms) as avg_latency_ms
-                FROM rag_search_events
-                WHERE tenant_id = ?
-            """
-            params = [tenant_id]
-
-            if since_timestamp:
-                query += " AND timestamp >= ?"
-                params.append(since_timestamp)
-
-            row = conn.execute(query, params).fetchone()
-
-            return {
-                "total_searches": row["total_searches"] or 0,
-                "avg_hits_per_search": round(row["avg_hits"] or 0, 2),
-                "avg_score": round(row["avg_avg_score"] or 0, 3),
-                "avg_top_score": round(row["avg_top_score"] or 0, 3),
-                "avg_latency_ms": round(row["avg_latency_ms"] or 0, 2),
-            }
+        total_searches = len(rows)
+        avg_hits = sum(row.get("hits_count") or 0 for row in rows) / total_searches
+        avg_avg_score = sum(row.get("avg_score") or 0 for row in rows) / total_searches
+        avg_top_score = sum(row.get("top_score") or 0 for row in rows) / total_searches
+        avg_latency = sum(row.get("latency_ms") or 0 for row in rows) / total_searches
+
+        return {
+            "total_searches": total_searches,
+            "avg_hits_per_search": round(avg_hits, 2),
+            "avg_score": round(avg_avg_score, 3),
+            "avg_top_score": round(avg_top_score, 3),
+            "avg_latency_ms": round(avg_latency, 2),
+        }
 

check_env.py

@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+"""
+Simple script to check Supabase environment variables
+"""
+
+import os
+import sys
+from pathlib import Path
+from dotenv import load_dotenv
+
+# Load .env file
+load_dotenv()
+
+print("=" * 70)
+print("Supabase Environment Variables Check")
+print("=" * 70)
+print()
+
+# Check SUPABASE_URL
+supabase_url = os.getenv("SUPABASE_URL")
+if supabase_url:
+    print(f"[OK] SUPABASE_URL is set")
+    print(f"     Value: {supabase_url}")
+    if not supabase_url.startswith("https://"):
+        print(f"     [WARNING] URL should start with https://")
+    if ".supabase.co" not in supabase_url:
+        print(f"     [WARNING] URL should contain .supabase.co")
+else:
+    print("[ERROR] SUPABASE_URL is NOT set")
+    print("        Required for Supabase integration")
+
+print()
+
+# Check SUPABASE_SERVICE_KEY
+supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+if supabase_key:
+    key_length = len(supabase_key)
+    print(f"[OK] SUPABASE_SERVICE_KEY is set")
+    print(f"     Length: {key_length} characters")
+    
+    if key_length < 100:
+        print(f"     [ERROR] Key is too short ({key_length} chars)")
+        print(f"            Expected: 200+ characters")
+        print(f"            This looks like an 'anon' key, not 'service_role' key!")
+        print(f"            Get the correct key from:")
+        print(f"            Supabase Dashboard -> Settings -> API -> service_role key")
+    elif key_length < 200:
+        print(f"     [WARNING] Key might be incomplete ({key_length} chars)")
+        print(f"              Expected: 200+ characters")
+    else:
+        print(f"     [OK] Key length looks correct ({key_length} chars)")
+    
+    # Check if it starts with eyJ (JWT token format)
+    if supabase_key.startswith("eyJ"):
+        print(f"     [OK] Key format looks correct (JWT token)")
+    else:
+        print(f"     [WARNING] Key doesn't start with 'eyJ' (unusual for JWT)")
+    
+    # Show first and last few characters (masked)
+    if key_length > 20:
+        masked = supabase_key[:10] + "..." + supabase_key[-10:]
+        print(f"     Preview: {masked}")
+else:
+    print("[ERROR] SUPABASE_SERVICE_KEY is NOT set")
+    print("        Required for Supabase integration")
+    print("        Get it from: Supabase Dashboard -> Settings -> API -> service_role key")
+
+print()
+
+# Check POSTGRESQL_URL (optional)
+postgres_url = os.getenv("POSTGRESQL_URL")
+if postgres_url:
+    print(f"[INFO] POSTGRESQL_URL is set (optional, for migrations)")
+    if len(postgres_url) > 50:
+        masked = postgres_url[:30] + "..." + postgres_url[-20:]
+        print(f"        Value: {masked}")
+    else:
+        print(f"        Value: {postgres_url}")
+else:
+    print("[INFO] POSTGRESQL_URL is not set (optional, only needed for migrations)")
+
+print()
+print("=" * 70)
+print("Summary")
+print("=" * 70)
+
+has_url = bool(supabase_url)
+has_key = bool(supabase_key)
+key_valid = has_key and len(supabase_key) >= 200
+
+if has_url and has_key and key_valid:
+    print("[SUCCESS] Supabase environment variables are correctly configured!")
+    print("          Your data should upload to Supabase automatically.")
+elif has_url and has_key:
+    print("[WARNING] Supabase URL and key are set, but key appears invalid.")
+    print("          Check that you're using the 'service_role' key (not 'anon' key).")
+elif has_url or has_key:
+    print("[ERROR] Supabase configuration is incomplete.")
+    print("        Both SUPABASE_URL and SUPABASE_SERVICE_KEY must be set.")
+else:
+    print("[ERROR] Supabase is not configured.")
+    print("        Set SUPABASE_URL and SUPABASE_SERVICE_KEY in your .env file.")
+
+print()
+print("=" * 70)
+

test_key.py

@@ -0,0 +1,45 @@
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+key = os.getenv("SUPABASE_SERVICE_KEY")
+url = os.getenv("SUPABASE_URL")
+
+print("Checking Supabase Configuration:")
+print("=" * 50)
+
+if key:
+    print(f"SUPABASE_SERVICE_KEY:")
+    print(f"  Length: {len(key)} characters")
+    print(f"  Starts with 'eyJ': {key.startswith('eyJ')}")
+    print(f"  First 30 chars: {key[:30]}...")
+    print(f"  Last 30 chars: ...{key[-30:]}")
+    
+    if len(key) >= 200:
+        print(f"  [OK] Key length is correct")
+    else:
+        print(f"  [WARNING] Key might be too short (expected 200+)")
+    
+    if key.startswith("eyJ"):
+        print(f"  [OK] Key format looks correct (JWT)")
+    else:
+        print(f"  [WARNING] Key doesn't start with 'eyJ'")
+else:
+    print("SUPABASE_SERVICE_KEY: NOT SET")
+
+print()
+
+if url:
+    print(f"SUPABASE_URL:")
+    print(f"  Value: {url}")
+    if url.startswith("https://") and ".supabase.co" in url:
+        print(f"  [OK] URL format looks correct")
+    else:
+        print(f"  [WARNING] URL format might be incorrect")
+else:
+    print("SUPABASE_URL: NOT SET")
+
+print()
+print("=" * 50)
+

test_supabase_connection.py

@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+"""Test Supabase connection directly"""
+
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+try:
+    from supabase import create_client
+    
+    supabase_url = os.getenv("SUPABASE_URL")
+    supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+    
+    print("Testing Supabase Connection:")
+    print("=" * 50)
+    print(f"URL: {supabase_url}")
+    print(f"Key length: {len(supabase_key) if supabase_key else 0}")
+    print()
+    
+    if not supabase_url or not supabase_key:
+        print("ERROR: Missing Supabase credentials")
+        exit(1)
+    
+    print("Creating Supabase client...")
+    client = create_client(supabase_url, supabase_key)
+    print("[OK] Client created successfully")
+    
+    print()
+    print("Testing table access...")
+    tables = ["tool_usage_events", "redflag_violations", "rag_search_events", "agent_query_events"]
+    
+    for table in tables:
+        try:
+            result = client.table(table).select("id").limit(1).execute()
+            print(f"[OK] Table '{table}' is accessible")
+        except Exception as e:
+            error_msg = str(e)
+            if "does not exist" in error_msg.lower() or "relation" in error_msg.lower():
+                print(f"[ERROR] Table '{table}' does NOT exist")
+                print(f"  Solution: Run supabase_analytics_tables.sql in Supabase SQL Editor")
+            elif "401" in error_msg or "Invalid API key" in error_msg:
+                print(f"[ERROR] Table '{table}' access denied - Invalid API key")
+                print(f"  Error: {error_msg[:100]}")
+            else:
+                print(f"[ERROR] Table '{table}' error: {error_msg[:100]}")
+    
+    print()
+    print("Testing insert...")
+    try:
+        test_payload = {
+            "tenant_id": "test_connection",
+            "tool_name": "connection_test",
+            "timestamp": 1234567890,
+            "success": True
+        }
+        result = client.table("tool_usage_events").insert(test_payload).execute()
+        print("[OK] Test insert successful!")
+        print(f"  Inserted {len(result.data) if result.data else 1} row(s)")
+    except Exception as e:
+        error_msg = str(e)
+        print(f"[ERROR] Test insert failed: {error_msg[:200]}")
+        if "401" in error_msg or "Invalid API key" in error_msg:
+            print("  This indicates an invalid API key")
+        elif "does not exist" in error_msg.lower():
+            print("  This indicates the table doesn't exist")
+        elif "RLS" in error_msg or "policy" in error_msg.lower():
+            print("  This indicates RLS policy blocking the insert")
+    
+    print()
+    print("=" * 50)
+    print("Connection test complete!")
+    
+except ImportError:
+    print("ERROR: supabase-py package not installed")
+    print("Install it with: pip install supabase")
+except Exception as e:
+    print(f"ERROR: {e}")
+    import traceback
+    traceback.print_exc()
+

verify_supabase_setup.py

@@ -48,7 +48,10 @@ def main():
         if len(supabase_key) > 100:
             print(f"   ✅ SUPABASE_SERVICE_KEY is set: {supabase_key[:20]}... ({len(supabase_key)} chars)")
         else:
-            print(f"   ⚠️  SUPABASE_SERVICE_KEY seems incomplete ({len(supabase_key)} chars, expected 200+)")
+            print(f"   ❌ SUPABASE_SERVICE_KEY seems incomplete ({len(supabase_key)} chars, expected 200+)")
+            print("   ⚠️  This looks like an 'anon' key, not a 'service_role' key!")
+            print("   💡 You need the SERVICE_ROLE key (not anon key) for backend operations")
+            print("   💡 Get it from: Supabase Dashboard → Settings → API → service_role key")
     else:
         print("   ❌ SUPABASE_SERVICE_KEY is not set")
     
@@ -74,11 +77,52 @@ def main():
     
     # Check AnalyticsStore
     print("3. Checking AnalyticsStore Configuration:")
+    analytics_store = None
     try:
         analytics_store = AnalyticsStore()
         if analytics_store.use_supabase:
             print("   ✅ AnalyticsStore is using Supabase")
             print(f"   📦 Backend: Supabase (REST API)")
+            
+            # Test table verification
+            if analytics_store._tables_verified:
+                print("   ✅ Analytics tables verified and accessible")
+            else:
+                print("   ⚠️  Analytics tables not verified")
+                print("   ⚠️  This may cause inserts to fail!")
+                print("   💡 Solution: Run supabase_analytics_tables.sql in Supabase SQL Editor")
+            
+            # Test actual insert
+            print()
+            print("   🧪 Testing actual insert to Supabase...")
+            try:
+                test_tenant = "test_verification"
+                analytics_store.log_tool_usage(
+                    tenant_id=test_tenant,
+                    tool_name="verification_test",
+                    latency_ms=1,
+                    success=True
+                )
+                print("   ✅ Test insert successful! Data is being saved to Supabase.")
+            except Exception as insert_error:
+                error_str = str(insert_error)
+                print(f"   ❌ Test insert failed: {insert_error}")
+                print("   💡 This indicates:")
+                
+                # Check for specific error types
+                if "Invalid API key" in error_str or "401" in error_str:
+                    print("      ❌ INVALID API KEY - This is the main issue!")
+                    print("      💡 Your SUPABASE_SERVICE_KEY is incorrect or incomplete")
+                    print("      💡 Get the correct key from: Supabase Dashboard → Settings → API")
+                    print("      💡 Make sure you're using the 'service_role' key (not 'anon' key)")
+                    print("      💡 The service_role key should be 200+ characters long")
+                elif "does not exist" in error_str.lower() or "relation" in error_str.lower():
+                    print("      - Tables may not exist (run supabase_analytics_tables.sql)")
+                elif "RLS" in error_str or "policy" in error_str.lower():
+                    print("      - RLS policies may be blocking inserts")
+                else:
+                    print("      - Schema mismatch between code and database")
+                    print("      - Check Supabase logs for more details")
         else:
             print("   ❌ AnalyticsStore is using SQLite (not Supabase)")
             print("   ⚠️  Future analytics will be saved to SQLite, not Supabase!")