Implement ledger metrics for observability and add tests for Ruby packages endpoints

- Added `LedgerMetrics` class to record write latency and total events for ledger operations.
- Created comprehensive tests for Ruby packages endpoints, covering scenarios for missing inventory, successful retrieval, and identifier handling.
- Introduced `TestSurfaceSecretsScope` for managing environment variables during tests.
- Developed `ProvenanceMongoExtensions` for attaching DSSE provenance and trust information to event documents.
- Implemented `EventProvenanceWriter` and `EventWriter` classes for managing event provenance in MongoDB.
- Established MongoDB indexes for efficient querying of events based on provenance and trust.
- Added models and JSON parsing logic for DSSE provenance and trust information.

docs/provenance/inline-dsse.md

@@ -69,6 +69,21 @@ This document defines how Stella Ops records provenance for SBOM, VEX, scan, a
 3. **Attach** the provenance block before appending the event to Mongo, using `StellaOps.Provenance.Mongo` helpers.
 4. **Backfill** historical events by resolving known subjects → attestation digests and running an update script.
 
+### 2.1 Supplying metadata from Concelier statements
+
+Concelier ingestion jobs can now inline provenance when they create advisory statements. Add an `AdvisoryProvenance` entry with `kind = "dsse"` (or `dsse-metadata` / `attestation-dsse`) and set `value` to the same JSON emitted by the CI snippet. `AdvisoryEventLog` and `AdvisoryMergeService` automatically parse that entry, hydrate `AdvisoryStatementInput.Provenance/Trust`, and persist the metadata alongside the statement.
+
+```json
+{
+  "source": "attestor",
+  "kind": "dsse",
+  "value": "{ \"dsse\": { \"envelopeDigest\": \"sha256:…\", \"payloadType\": \"application/vnd.in-toto+json\" }, \"trust\": { \"verified\": true, \"verifier\": \"Authority@stella\" } }",
+  "recordedAt": "2025-11-10T00:00:00Z"
+}
+```
+
+Providing the metadata during ingestion keeps new statements self-contained and reduces the surface that the `/events/statements/{statementId}/provenance` endpoint needs to backfill later.
+
 Reference helper: `src/__Libraries/StellaOps.Provenance.Mongo/ProvenanceMongoExtensions.cs`.
 
 ---
@@ -202,3 +217,17 @@ rules:
 | `PROV-INDEX-401-030` | Create Mongo indexes and expose helper queries for audits. |
 
 Keep this document updated when new attestation types or mirror/witness policies land.
+
+---
+
+## 9. Feedser API for provenance updates
+
+Feedser exposes a lightweight endpoint for attaching provenance after an event is recorded:
+
+```
+POST /events/statements/{statementId}/provenance
+Headers: X-Stella-Tenant, Authorization (if Authority is enabled)
+Body: { "dsse": { ... }, "trust": { ... } }
+```
+
+The body matches the JSON emitted by `publish_attestation_with_provenance.sh`. Feedser validates the payload, ensures `trust.verified = true`, and then calls `AttachStatementProvenanceAsync` so the DSSE metadata lands inline on the target statement. Clients receive HTTP 202 on success, 400 on malformed input, and 404 if the statement id is unknown.